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Being competitive starts with being productive. 
Here’s your edge. 

To help your business be more productive, the IBM® System x3650 M3 Express® server, featuring the Intel® 
Xeon® processor 5600 series, can help you achieve up to 40% increased performance. 1 With more storage 
and memory capacity, it is now possible to access and process more data than ever before — helping you to 
efficiently meet your increased business demands. 



IBM System x3650 M3 Express (shown above) 

,229 

or $83/month for 36 months 2 

PN: 7945-E2U _ 

2U dual-socket server featuring up to 2 Intel® Xeon® processor 5600 series 
Energy-efficient design, 92% efficient PS 
3 HS fan modules, altimeter 





IBM System x3550 M3 Express 

$ 1,969 

or $51 /month for 36 months 2 

PN: 7944-El U _ 

1U dual-socket server featuring up to 2 Intel® Xeon® processor 5600 series 
Energy-efficient design, 92% efficient PS 
6 HS fan modules, altimeter 



1 Based on Intel Engineering Study, January 2010 - performance increase comparing latest Intel Xeon processor 5600 series to previous generation - Intel Xeon processor 5500 series. See page 8, footnote 3 for more information: http://www.mtel. 
and government customers. Monthly payments provided are for planning purposes only and may vary based on your credit and other factors. Lease offer provided is based on an FMV lease of 36 monthly payments. Other restrictions may apply, 
terms apply. For a copy of applicable product warranties, visit http://www.ibm.com/servers/support/machine_warranties. IBM makes no representation or warranty regarding third-party products or services. IBM, the IBM logo, System Storage 
legal/copytrade.shtml. Intel, the Intel logo, Xeon and Xeon Inside are trademarks of Intel Corporation in the U.S. and other countries. All other products may be trademarks or registered trademarks of their respective companies. All prices and 
operating system or other features. Reseller prices and savings to end users may vary. Products are subject to availability. This document was developed for offerings in the United States. IBM may not offer the products, features, or services 
or IBM Business Partner for the most current pricing in your geographic area. © 2010 IBM Corporation. All rights reserved. 




















































IBM System Storage® DS3500 Express 

$ 8,799 

or $226/month for 36 months 2 


PN: 1746-A2D or 1746-C2A_ 

Dual controller storage system with 2 GB cache, four 6 Gb SAS host 
attachment ports and 12 3.5-inch SAS disk drive bays. 



See for yourself. 

See how much you could be saving — in just minutes — 
with the IBM Systems Consolidation Evaluation Tool. 

ibm.com/systems/productivity 
1 866 - 872-3902 (mention 6N8AH30A) 



com/Assets/PDF/prodbrief/323501 .pdf. 2 Global Financing offerings are provided through IBM Credit LLC in the United States and other IBM subsidiaries and divisions worldwide to qualified commercial 
Rates and offerings are subject to change, extension or withdrawal without notice. IBM hardware products are manufactured from new parts or new and serviceable used parts. Regardless, our warranty 
and System x are registered trademarks or trademarks of International Business Machines Corporation in the United States and/or other countries. For a complete list of IBM trademarks, see www.ibm.com/ 
savings estimates are subject to change without notice, may vary according to configuration, are based upon IBM’s estimated retail selling prices as of 8/09/10 and may not include storage, hard drive, 
discussed in this document in other countries. Prices are subject to change without notice. Starting price may not include a hard drive, operating system or other features. Contact your IBM representative 
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Solving the 3 Barriers to Virtual Platform Performance 

Recent innovations that unlock virtualization potentials 


O n a virtual platform, fragmentation on top of 
fragmentation (host and VMs) rapidly creates 
I/O bottlenecks. The elimination of fragmenta¬ 
tion is imperative, but the way a virtual platform 
shares resources between the VMs can make it 
difficult to defrag without creating other perfor¬ 
mance bottlenecks. 

The Problem 

Effectively shared resources are of critical importance in a 
virtual environment but are severely impacted by three key 
barriers: 

L I/O bandwidth is a vital hardware resource for virtual 
platform performance. Fragmented files and fragmented free 
space create more I/O activity than is needed to directly get 
a job done. This excess use of a virtual platform's limited 
bandwidth occurs in both host platforms and the virtual 
machines. 

2. Virtual machines compete for shared I/O resources. 
Excess and unnecessary use of disk I/O channels from any VM 
will impede performance across all other systems running on 
the host. 

3. Virtual disks set to dynamicaIly grow don't shrink when 
users or applications remove data. This wastes space that could 
be allocated to other virtual systems. Manually trying to deter¬ 
mine which VMs to shrink is time-consuming and endless. 

The Solution 

V-locity® 2 virtual platform disk 
optimizer by Diskeeper Corporation 
contains the only feature set that 
eliminates the most important virtuai 
platform performance issues without 
also creating resource conflicts. 

V-locity 2 optimizes the perfor¬ 
mance on the virtual platform from 
host disk to VMs. It eliminates resource management prior¬ 
ity conflicts, operates transparently in the background, maxi¬ 
mizes I/O bandwidth efficiency and eliminates "bloated'' free 
space on thin/dynamic disks, 

l. Eliminating Resource Conflicts. Using InvisiTasking® 
technology, the V-locity component on the host virtualization 
operating system is able to effectively coordinate I/O 
optimization routines across all guest systems using only 
truly idle system resources. This allows robust real-time 
defragmentation with zero conflicts across the platform. 



□ Idle resources [J Idle resources used by ItivisiTasking 

□ Resources used by system 

ImisiTiiskittg resource usage graph in V-locity (on Hyper- V Host) 

2. Getting Maximum I/O Bandwidth Efficiency. 
V-locity 2 also includes proprietary Intel li Write™ 
fragmentation prevention technology. This highly adaptive 
application prevents up to 85% of aJJ fragmentation by 
writing files intelligently to the disk. The recovery of I/Os 
that would have been wasted produces a significant boost in 
system speed. 

3. Recovering Wasted Free Space. V-locity includes 
a virtual disk compaction feature, the first of its kind, that 
provides a window on how much a thin/dynamic virtual 
disk can be shrunk. A system admin can, with a single click, 
compact any of those selected virtual disks. As a result, better 
allocation of storage resources is easily achieved. 



V-locity 2 not only opens up the full potential of virtu¬ 
alization and its hardware economy, it actually "completes" 
virtualization's functionality and creates previously unat¬ 
tainable performance and cost efficiencies. 


See the difference V-locity can make 

The best way to understand the impact of V-locity 2 on your 
Hyper-V™ or VMware* platform is to see for yourself. Download a 
FREE 30-DAY TRIAL now, 

w w w.d i s kee pe rxo m/Wi n V2 

Or call us for a customized, no-obligation quote: 800-829-6468 



© 2010 Diskeeper Corporation. .41] Rights Reserved, V-lodty IntelliWrite and InvisiTasking are registered trademarks owned by Diskeeper Corporation in the 
United States and other countries. All other trademarks and brand names are the property of their respective owmers. 


























System Performance 

What you lose if you only defrag once a week 


I s once-a-week defrag viable as a performance solution 
for the corporate environment? The Diskeeper Corpo¬ 
ration field testing division measured the performance 
impact such a schedule would have if implemented. 
Data was taken from actual working environment sys¬ 
tems in busy corporations. Normal weekly operations 
were run but with only a weekly defrag. 

The results that most closely reflected the activity of a 
corporate system indicated around 5,000 new fragments cre¬ 
ated daily, 

A script was created that reflected typical computer ac¬ 
tivities performed by a majority of computer users: writing 
and editing MS Office files, web browsing, copying audio, 
video, and image files, etc. The script used a simulation of 
the weekly workload on the system. System performance was 
measured after running the workload script. 

Then, the same script was run on an identical system with 
an identical initial volume state with Diskeeper* 2010 perform 
mance technology and real-time fragmentation prevention. 


Test 1 - Read file on a folder with Word documents: 


With Diskeeper: 30,070,6 msec 

52% access time reduction 

No Diskeeper: 62,025,6 msec 


Test 4 - Copy file test on data folders with documeni 
pictures and video files: 


With Diskeeper: 16 minutes 50% reduction in 

No Diskeeper: 32 minutes * e copy time 

As file and volume sizes grow geometrically, larger 
amounts of data are being copied and moved in single fold¬ 
ers, often creating I/O bottlenecks and system slows. This is 
a hidden cost to performance when fragmentation exists. 
Doubling system speed in this area most often benefits the 
file server, the hub of corporate productivity. 


Test 5 - Virus scan of a Word document folder: 

With Diskeeper: 

4.5 sec 

40% reduction in 

No Diskeeper: 

7,5 sec 

vims scan time 


End point virus scans done on workstations, laptops and 
file servers absorb system resources. Fragmentation slows the 
scan down and requires a larger window of time to complete, 
if done during production hours, performance is impacted for 
a longer period of time than scanning a defragmented file. 
If defragmentation is done off hours, a longer scan window 
needs to be open and other maintenance will have to wait. 


Test 2 - Read file on a folder with Excel documents: 


With Diskeeper: 219,0 msec 

47% access time reduction 

No Diskeeper: 412.4 msec 

Compared to systems defragged once a week, access to 
Word and Excel documents is twice as fast when fragmenta¬ 
tion levels are at or close to zero throughout the week. This 
means everyday productivity, which is commonly measured 
by system response time, improves across the boards. 


Test 3 - Read file on the most fragmented file: 


With Diskeeper: 122,4 msec 

80% access time reduction 

No Diskeeper: 625.2 msec 

This is a very significant result because the most fragment¬ 
ed files are those files that are most used and relied upon. Very 
likely they are shared and therefore affect the productivity 
of more than one person. An 80% reduction is nearly a 4X 
increase in file access. And this performance gain will be expe¬ 
rienced repeatedly, due to the file's frequency of use. 


Conclusion: 

On an average over 50% of the original performance 
is lost with once-a-week defrag. 

On a small corporate site of five servers and 20 
workstations, this is significant. On a large site it is completely 
unaffordable. Diskeeper improves overall performance by at least 
that much and maintains peak performance every minute the 
systems are active. 

Test Diskeeper 2010 for yourself, on your own laptops, 
workstations and servers and see the difference it can make for 
you. Get the full version trial at: www.diskeeper.com/WtnDK 

Or call us fora customized, no-obligation quote: 800-829-6468 




©2010 Diskeeper Corporation. All Rights Reserved. Diskeeper, the Diskeeper 
Corporation logo and the Diskeeper logo are registered trademarks owned 
by Diskeeper Corporation in the United States and other countries. 















IT PRO PERSPECTIVES 



Crockett 

"Are the products and services that you 
implement helping to drive your 
company's business success?" 


Support the Business: Secure Your Job 

How one IT specialist ensures that technology serves business goals 


Y ou've probably heard that one surefire way to succeed 
in your IT career is making your company's busi¬ 
ness your business. This month, we're launching a 
multi-part investigation of the way IT organizations 
work with the business leaders in their companies 
to ensure that the products and services they recom¬ 
mend, implement, and support are ultimately helping drive the 
company's business success. 

This month, I talked about how to foster IT-and-business syn¬ 
ergy with Jeff Sears, the senior IT systems administrator at Value 
Plastics, an 80-employee Colorado-based manufacturing company 
that makes plastic parts for medical devices. On page 7, in our new 
Business Technology Perspectives column, you'll find the results 
of a conversation our industry news analyst, Jeff James, had with 
Jeff Sears' boss, IT Manager Nels Dachel, and Value Plastics CFO 
Terry Gibbons. Going forward, each month Jeff James and I will 
explore various aspects of the IT-and-business relationship by 
profiling the IT pros and business leaders at specific companies, 
and shedding light on the dynamics between these positions and 
the lessons learned. 

As the lead architect of Value Plastics' IT solutions, Jeff Sears 
appreciates his close ties with the business leaders of the com¬ 
pany. Two difficult-to-control factors contribute to this synergy: 
The company is small, and one of the vice presidents was "the IT 
guy" when he started 10 years ago. At that time, the company had 
a single server and Windows 95. 

"He's a really smart operator, really understands the business," 
said Sears. "Somewhere along the line, the decision was made to 
purchase the ERP solution that our business is built around. It's a 
really complicated solution and so integrated into the business. It 
just made sense that the IT department was driving a lot of that." 

Another factor Sears cites for the tight bond between IT and 
business is that the company strives to be an industry leader 
in manufacturing parts for medical devices. "We've found that 
leveraging IT, automating processes, and keeping our costs down 
is a way to keep our competitive advantage—and keep jobs in the 
United States rather than off-shoring them," Sears said. 

Sears said that the IT team's relatively long history with the 
company also helps them work effectively with the business lead¬ 
ers. "I've been here six years; the IT manager has been here seven 
years," Sears said. "So we just understand all the pieces of the whole 
company and how everything fits together. It's not a case where the 


networking and phone teams are in separate silos and good luck 
bridging all those." 

The fact that the company is small and at least one of the 
executives has an IT background undoubtedly paves the way for 
the IT team to have good rapport with the business leaders. But 
Sears advises you IT prosout there to follow oft-repeated industry 
advice for ensuring that your work is supporting the business—and 
solidifying your career: 

1. Do your homework. "When you're researching solutions, 
look at the current industry trends, look at how things fit with 
your organization, and determine whether the latest trend is 
good or bad for your company," Sears said. 

2. Understand the business. "Make sure you can talk to your 
business leaders in their own language—in business terms." 

3. Remember that everyone will judge a solution based on 
“What's in it for me?" Sears said that if he's presenting a solution 
to the CFO, for example, he will focus on financial benefits. 

Sears said that keeping a solid business understanding front and 
center when making purchasing decisions helps the company 
prepare for expansion in the future. "A lot of things I work on 
are related to infrastructure, so those solutions typically have to 
prove ROI now and have flexibility for the future," Sears said. "For 
example, I needed to upgrade our switches about three years ago, 
and I went with HP ProCurve, which was a bit more expensive but 
had a lot of capabilities. Now, as we want to virtualize and imple¬ 
ment VLANs, we're really tapping into those capabilities that we 
saw had potential if we had a business need." 

Being able to point out the foresight involved in past purchas¬ 
ing decisions paves the way for other purchases that might be 
more expensive in the short term but can lead to future business 
innovation. 

Do you have insights to share about how your IT organization 
works with business leaders in your company? Send your thoughts 
to me via email at michele.crockett@penton.com. And follow me 
on Twitter @michelecrockett. ^ 

InstantDoc ID 128890 


MICHELE CROCKETT (michele.crockett@penton.com) helped launch 
SQL Server Magazine in 1999, has held various business and editorial roles 
within Penton Media, and is currently editorial and custom strategy director 
of Windows IT Pro, SQL Server Magazine, and System iNEWS. 
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BUSINESS TECHNOLOGY PERSPECTIVES 


James 

"The best approach is one where IT and 
all the relevant stakeholders work together 
to meet the needs of all parties." 



Serve the Business: Embrace Strategic Goals 

Focus less on ROI and more on the best technology solution for the need at hand 


S ometimes the most challenging tasks for any IT profes¬ 
sional don't deal with technology but with how that 
technology is selected, paid for, and implemented. 
Most IT pros have many tales of being at odds with 
management or other parts of their organization over 
IT issues—a challenging situation that makes their jobs 
more difficult. 

Purchasing new IT products and services for any organization 
can be a long and arduous process, involving many stakeholders 
and requiring buy-in and approval from many different people. In 
some shops, the IT staff owns the process, with little input from 
management. In others, non-IT staff might have more influence. 
Undoubtedly, the best approach is one in which IT and all the rel¬ 
evant stakeholders work together to meet the needs of all parties, 
while delivering solutions that are cost-effective and advance the 
needs of the organization. 

One company that seems to be taking that approach is Value 
Plastics, a Fort Collins, Colorado-based manufacturer of medical 
supplies. I had the opportunity to speak with Value Plastics CFO Terry 
Gibbons and IT Manager Nels Dachel to get their perspective on 
how IT can work best with business decision-makers. My colleague 
Michele Crockett spoke with IT Manager Jeff Sears, and you can read 
his story in Michele's IT Pro Perspectives column in this issue. 

When asked about pitfalls that IT professionals can avoid when 
dealing with business stakeholders, Dachel stressed that the IT 
department needs to always have the business interest of the larger 
organization in mind. 

"It's important to realize that IT is there to serve the larger needs 
of the business," Dachel says. "I've been an IT manager for a long 
time, and I've always tried to make sure that the culture in our IT 
department is all about service to the rest of the organization. If 
the rest of the company isn't happy with the IT department, you're 
not doing your job." 

Dachel also suggests that IT professionals sometimes need to 
put their own personal preferences about technology solutions 
on the shelf and try to see what truly is the best solution for the 
business as a whole. "You really need to look at using the best 
technology solution for the problem at hand and not try to evan¬ 
gelize your own preferences," says Dachel. "I'm a developer with 
a .NET background. My knee-jerk preference in some situations is 
that we can write the solution ourselves. But that's not always the 
right choice and sometimes is the wrong solution for the business. 


I really don't like [popularity] contests about Mac vs. PC, .NET vs. 
Java, and so on. You really need to focus on what technology solu¬ 
tion is best for the need at hand." 

I also spoke with Nel's boss, Terry Gibbons, to get his perspec¬ 
tive on how business owners should make IT an integral part of the 
strategic direction of the company. 

"Our IT department is really involved in the business. Our 
entire organization leans on them, and they really help us optimize 
our business processes," Gibbons says. "I've worked as a CFO in 
several large companies, and I've encountered IT departments that 
were literally treated as those hack room people' who didn't have a 
good understanding of what the needs of the business were, or the 
IT leader wouldn't let them. They could write code and generate 
reports, but they didn't have the same level of visibility, exposure, 
and integration that our IT department has at Value Plastics." 

Gibbons also takes an enlightened approach with IT costs and 
spending and is reluctant to focus too heavily on return on invest¬ 
ment (ROI) and other financial metrics to measure IT success. "I'm 
really more concerned about giving our employees the best tools 
we can. I'm not overly concerned about an immediate ROI as long 
as we can get that return down the road and [as long as] we're put¬ 
ting our investments where we need to now." 

One final bit of advice from Gibbons and Dachel about build¬ 
ing bridges between IT and business stakeholders involves simply 
being open to learning about what your colleagues have to offer. 
"Nels and the IT department started reporting to me about a year 
ago, and when that happened we made each other a deal," explains 
Gibbons. "We meet every week to review things and go through 
our current to-do list. And I promised to spend some of that time 
teaching Nels about finance, and Nels promised to teach me a bit 
about IT. That arrangement is working out pretty well so far." 

Do you have insights to share about how your IT organi¬ 
zation works with business leaders in your company? Please 
send your thoughts to me via email at jeff.james@penton.com, 
or follow me on Twitter@jeffjames3. You can also feel free to 
check out my Business Technology Perspectives blog online at 
www.windowsitpro.com. ^ 
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P2V Migration 

I read John Savill's FAQ,"What's Microsoft 
P2V Migration for Software Assurance?" 
(InstantDoc ID 128797). According to 
Microsoft, only full, retail, licensed copies 
of the OS have the necessary rights to be 
moved to a different PC. Open or volume- 
license OSs don't have transfer rights. Can 
you please explain the licensing model 
necessary to be able to use Disk2VHD? 

—Paul M. Abke 

The blog post "Licensing Basics: What Are 
Transfer Rights?" (http://blogs.msdn.eom/b/ 
mssmallbiz/archive/2007/11/01/5821322 
.aspx) has the information you need. OEM 
software can't be transferred to other hard¬ 
ware. I would stress that P2V with Disk2VHD 
is a last resort. I would reserve this option 
for those few machines whose Windows 
7-incompatible software can't be reinstalled 
as part ofXP Mode/MED-V due to lack of 
installation media or other such factors. 

—John Savill 

WSUS Code Tip 

I have a suggestion that leverages the 
performance of the script presented by 
M. Samer Sawas in his article "Automate 
the Product Update Approval Process in 
WSUS"(September 2010, InstantDoc ID 
125613). Replace the line 

$updates = SupdateServer 
.GetUpdatesO 

with the following lines: 

foreach ($title in $ReqllpdatesFile) { 
Supdates = SupdateServer 
. Searchllpdates($ti tl e) 


} 


This approach improves the performance 
dramatically because it doesn't ask the 
WSUS server for all updates but only for 
the updates one wants to approve. 

—Markus Kostler 

ImageX Kudos and Question 

I recently read Mark Minasi's "ImageX Pro¬ 
vides Disk Imaging on a Budget" (Instant¬ 
Doc ID 125743). I also use Windows PE 
boot disks and ImageX as an imaging tool 
for image creation and deployment, and 
the solution works great. You can't beat 
the price! 

Mark mentions that you have to boot 
off the WinPE CD, then run ImageX from 
another source. On my CD, ImageX is pres¬ 
ent. I don't think I added it manually. But 
as you can add files to the source folder 
before creating the WinPE CD, you might 
want to mention to users that they can 
add ImageX (and other useful tools or net¬ 
work drivers) to the CD. 

The one problem I have with this 
imaging method is that almost every 
time I deploy an image, the PC won't 
boot. There's a bootloader or boot sector 
problem. So, I load the Windows Vista or 
Windows 7 DVD and perform a repair. The 
system automatically detects and fixes the 
boot problem, and everything is fine. Is 
there a way to avoid this extra step? 

—Rich Van Alstine 

You did a default installation of your basic 
Windows 7 system. Doing that puts the 
boot image on a separate 100MB partition 
without a drive letter, and ImageX isn't smart 
enough to go get it. Next time, in Setup, take 
the whole hard disk, make it a single C, then 
let Windows install. That will be the basis of 
a trouble-free, bootable system. I hope this 
helps, and thanks for reading! ^ 

—Mark Minasi 
InstantDoc ID 128877 
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Best Practices Guide: 
Microsoft Exchange 2010 
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As a business-critical application that requires adapt¬ 
ability, Exchange 2010 is perfect candidate for vir¬ 
tualization. On physical hardware, Exchange 2010's 
capabilities are constrained by under-utilization 
of server computing resources, lack of flexibility to 
respond to changing workloads, and heavy costs 
associated with maintaining disaster recovery, test, 
and development environments. This best practices 
guide details the most effective ways to deploy 
Exchange 2010 in a virtual environment. 
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NEED TO KNOW 


Thurrott 

"Office 365 actually is a way for Microsoft to sell its 
Office and Office-type server products as consolidated 
hosted offerings. It's about subscription pricing, 
which for Microsoft is the holy grail." 



What You Need to Know About Windows Phone, 
HP Slate, and Apple in the Enterprise 


A s I write this, I'm gearing up for the 2010 Professional 
Developers Conference (PDC), a smaller-than-usual 
show that will be held this year at Microsoft's Red¬ 
mond campus. So I'm hoping to have some news 
about Windows 8 in time for next month's column, 
as well as other PDC-related information. But as we 
careen toward the end of 2010, there's still a lot going on, between 
Windows 7 momentum releases like the Internet Explorer 9 Beta 
release (discussed last month) and Windows Live Essentials 2011, 
plus the pending Small Business Server updates, in which I'm 
particularly interested. But forget all that for now. I've got other 
fish to fry. 

Windows Phone in the Enterprise 

I like Windows Phone 7 so much, I wrote a book about it. But I 
do have some worries about its applicability in the enterprise. It 
comes down to one simple issue: The consumerization of IT. You 
either love it or you hate it, and that attitude should guide your 
decision about Windows Phone 7, at least for this next year. 

Windows Phone 7 is a system aimed, primarily, at consumers 
who want to buy their own phones and use them at work. And 
in record numbers, businesses aren't just allowing this, they're 
embracing it. After all, if their workers actually want to buy their 
own phones, they can save hundreds of dollars in charges per 
employee every single month. What's not to love? As long as the 
thing supports some modicum of Microsoft Exchange policies, 
employees can hook up with their work accounts and busily toil 
on work-related projects day and night. 

The dark side of this approach is that these phones are also 
highly connected mini-computers capable of sending sensitive 
corporate data to others, inadvertently or not. And for some 
companies, that's simply not acceptable. These businesses want 
to tightly control which mobile devices can be used within their 
organizations, and they use high-end Microsoft (or RIM) servers 
to make it happen. In such scenarios, Windows Phone isn't an 
option, not yet. Microsoft will likely add Windows Mobile-style 
management capabilities to Windows Phone by the end of 2011. 
But they're not available now. 

Windows 7 Has Been a Huge Success. Now What? 

Microsoft CEO Steve Ballmer said something interesting in the 
wake of the successful launch of Windows Phone 7 back in Octo¬ 
ber. When asked what the company's riskiest product was, he 


didn't say Windows Phone or Kinect, or anything obvious. Instead, 
he replied that it was the next version of Windows, still known as 
Windows 8. 

I find Ballmer's answer to be incredibly telling. Windows 7, as 
I'm sure you're aware, is a huge success. Microsoft sold over 240 
million licenses to its latest client OS in the first year of availability, 
a rate of over 20 million per month. Windows 7 is running on over 
93 percent of all new PCs, Microsoft says, and already owns almost 
20 percent of the installed base. And there's even good news from 
the business sector, where IDC reports that almost 90 percent of all 
businesses have at least some plan to deploy Windows 7. 

So what's the problem? Windows 7 was largely a huge suc¬ 
cess because its predecessor was so bad. And while Windows 7 
is indeed a refined, nicely tuned sequel to the reviled Windows 
Vista, it didn't exactly push any boundaries. This was a safe and 
easy release, an incremental update, a minor refresh of a solid 
foundation. How will Microsoft possibly outdo itself with Win¬ 
dows 8? It's quite likely that the software giant will ship a very high 
quality new version of Windows in 2012. But it might actually be a 
tough sell. It's one thing to get people to upgrade from something 
horrible. But how do you get them to upgrade from something 
everyone loves? 

HP Slate PC 500 

By the time you read this, HP should have begun shipping its 
business-class slate PC, imaginatively titled the HP Slate 500 PC. 
This keyboard-less iPad lookalike features a low-end, single-core 
Atom processor, 64GB of solid state storage, 2GB of RAM, and 
Windows 7 Business, which includes both multi-touch and Tablet 
PC-based input capabilities. HP is thus targeting the device firmly 
at the business market, but it's hard to escape the feeling that the 
company isn't behind its Slate PC in any meaningful way. 

Remember that this device was first unveiled, with some fan¬ 
fare, by Microsoft CEO Steve Ballmer back in January 2010. Micro¬ 
soft is HP's biggest partner, and the software giant has a lot riding 
on tablets, given the success of Apple's consumer-oriented iPad. 
But since the announcement, HP purchased Palm for its webOS, 
and it has also announced that it will be delivering a webOS-based 
tablet in the months ahead. When you factor in news that Intel 
won't have a credible tablet chipset available until early 2011, the 
Slate PC has "albatross" written all over it. My advice is to skip this 
computer. But then I don't have to tell you that: Businesses have 
been ignoring tablet PCs in droves since 2002. 
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Office 365 Is More About 
Subscription Pricing than 
the Cloud 

One of my big complaints about Micro¬ 
soft's Business Productivity Online Services 
(BPOS), through which the software giant has 
offered hosted versions of Exchange, Share- 
Point, and other popular servers, is that it has 
never been particularly affordable for small 
businesses. Which, when you think about it, 
is the type of business that could most benefit 
from offsite IT services rather than expensive 
and complicated on-premises solutions. 

That's all changing with a new Microsoft 
product strategy that's resulted in a more 


cohesive online offering called Office 365. 
Explaining Office 365 is hard only if you 
are truly aware of all of the productivity- 
oriented online services Microsoft previ¬ 
ously had, all of which were branded 
and marketed differently. For example, it 
consolidates BPOS, Office Live Small Busi¬ 
ness, and (soon) Live@edu, all under one 
branding umbrella. 

But Office 365 actually is a way for 
Microsoft to sell its Office and Office-type 
server products as consolidated hosted 
offerings. It's about subscription pric¬ 
ing, which for Microsoft is the holy grail 
because its business customers tend to 
purchase new versions of Office, Exchange, 
and other related products on increasingly 
long schedules. 

There will be two versions of the offer¬ 
ing: Office 365 Beta for small businesses 
and Office 365 Beta for enterprises. Both are 
subscription services that include access 
to Office Web Apps, Exchange Online, 
SharePoint Online, and Lync Online (a 
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next-generation version of Office Commu¬ 
nications Server). 

Pricing is improved over previous BPOS 
pricing tiers. The small business version 
targets businesses with 25 or fewer employ¬ 
ees and will cost $6 per user per month. 
The enterprise version adds the Office 2010 
Professional Plus client software, 24x7 sup¬ 
port, and other features, and will cost $2 to 
$24 per user, per month and have volume- 
license options. 

Office 365 is currently available for test¬ 
ing in a beta version (office365.com). And 
the software giant expects the final version 
to hit sometime in 2011. 


An Apple in the Enterprise? 

There's no doubt about it, Apple is on 
a roll. The company continues to make 
huge gains in the mobile market with its 
iPhone and iPod touch devices. The iPad, 
while slowing from a sales perspective, has 
still jumpstarted a new product category 
and even its Mac computer line is making 
steady gains, especially in the US, where it 
accounts for 1 in 10 of all consumer PCs. 
For Microsoft, however, the biggest threat 
from Apple is the same as it's ever been: 
Apple is simply the most influential com¬ 
pany in the technology arena. 

Which leads me to a semi-obvious 
question: At what point does Apple simply 
go from being an annoyance, from a Micro¬ 
soft perspective, to being a real threat? After 
all, Apple has surpassed Microsoft from a 
market cap perspective, and while that's a 
fairly artificial measurement (Microsoft's 
profits are still astronomically higher than 
Apple's, for example), it's pretty clear that 
if current trends continue, we're going to 
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have to drop the "artificial" language from 
that description pretty soon. It's entirely 
possible that Apple will be both bigger and 
more influential than Microsoft. 

This may not be as dire as it sounds. 
Apple's gains haven't come at Microsoft's 
expense, at least not yet, and not in Micro¬ 
soft's core markets. As noted above, Win¬ 
dows 7 is preinstalled on over 93 percent of 
all PCs today, and while Apple owns about 
10 percent of the US market for new PCs, it 
owns only 4.2 percent worldwide. Virtually 
all of the other computers being sold are 
running Windows. 

Apple makes no credible server prod¬ 
ucts and doesn't try to. Its hosted offer¬ 
ings are aimed at the tiny percentage 
of consumers who have both Macs and 
iPhones. Microsoft, meanwhile, is making 
huge moves to transition its client and 
server products from local, on-premises 
solutions to the cloud. All while Apple is 
distracted by adding iOS features (from 
the iPhone and iPad) to its Mac OS X 
product line. 

Apple is growing in areas that are impor¬ 
tant, yes, but not threatening to Microsoft's 
core businesses. And while Microsoft does 
need to establish itself in the mobile mar¬ 
ket, this is the one tech market that's 
growing almost exponentially. Apple and 
Microsoft can grow together without neces¬ 
sarily harming the other, at least until this 
market matures. 

There will continue to be much gnash¬ 
ing of teeth in Microsoft camps over the 
rise of Apple and what that portends. But 
remember, Microsoft does its best work 
when it has competition, and Apple is one 
of its most aggressive competitors yet. This 
battle, such as it is, is good for Microsoft, 
good for the industry, and good for con¬ 
sumers of technology. My guess is that 
Apple will continue to be a huge presence 
in the consumer market for the foresee¬ 
able future, but then so will Microsoft. And 
Microsoft will continue to handily beat 
Apple in businesses and in the cloud. Is this 
really something to stress over? ^ 
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Minasi 

"Like most deployment experts, 
you create different images to 
address different groups'needs." 



Save Space with ImageX's Append Option 

Simplify your efforts to create multiple image files for multiple user types 


I in my past couple columns, I've shown you how to use the 
ImageX /capture command to image a system and how to 
use ImageX /deploy to deploy that image to a new system. 
Those two ImageX commands are quite useful, but if they're 
all you know about ImageX, you're probably burning up a 
lot of disk space creating and working with your disk images. 
Any sort of file purporting to encapsulate an entire C drive is prob¬ 
ably huge! But ImageX has a neat trick that lets you put two, three, 
four, or any number of images in a single Windows image (.wim) 
file—while increasing the size of that .wim file by only a small per¬ 
centage. That trick is the /append option. 

If deployment is your job, you probably haven't created just 
one image for the systems in your office. More likely, you've got 
unique images for employees with varying job functions. Sure, the 
engineers and the sales folks both run Windows 7, Microsoft Office, 
and Adobe Acrobat, but the engineers don't need your contact- 
management software and the sales team doesn't need your 
circuit-emulation application. So, like most deployment experts, 
you create different images to address different group's needs. (IT 
pros who use Microsoft Development Toolkit—MDT—can utilize 
another approach by creating separate task sequences for certain 
job classifications, but that's a story for another day.) 

Suppose the engineers' image turns out to be 30GB, and the 
sales team's image turns out to be 31GB. If you're using a typical 
imaging tool (e.g., ImageX, employing only the /capture com¬ 
mand), that would mean you need to find 61GB of space in which 
to store the two of them. To save a bunch of that space, though, you 
could use ImageX's /append command. 

Here's how it works. First, you would create one of the images 
(it doesn't matter which), then use ImageX's /capture command to 
capture the image file, as I've shown you in previous articles, using 
a command such as 

imagex /capture c: s:\images\salesimage.wim "Sales force 
image" /verify 

That command would capture the file S:\images\salesimage 
.wim, a 31MB file—again, nothing new here. But then you create a 
prototypic workstation for the engineers, prepare it with Sysprep, 
boot it with Windows Preinstallation Environment (WinPE), and 
type the command 

imagex /append c: s:\images\salesimage.wim "Engineering 
image" /verify 


In both commands, you're telling ImageX to write image informa¬ 
tion to a file called salesimage.wim, but the effect is different in 
each case. In the first command, the /capture command instructs 
ImageX to create salesimage.wim, and in the process overwrite any 
existing file by that name. Thus, if you had imaged the salesper¬ 
son's image as salesimage.wim, then used /capture to image the 
engineer's image onto salesimage.wim, you would have deleted 
the salesperson's image. 

The /append option works differently, adding extra images to 
an existing .wim file. You might recall that when we used ImageX to 
apply an image to an empty hard disk, we specified not only the name 
of the file containing the image but also the number 1. That number 
was the index of the image that we wanted to apply, and even though 
we had created a .wim file that contained only one image, ImageX 
still needed to know which image to use. (The /append option will 
refuse to work if the target .wim file doesn't already exist.) 

To save space, ImageX examines each file destined for the 
new, second image, looking for identical files in the first image, 
and—if it finds a matching pair—ImageX leaves the duplicated 
file out of the second image, essentially putting an IOU in its place. 
That's where /append earns its keep. The second image's files for 
Windows, Office, and Acrobat are identical to the first's, so adding 
the engineering image to salesimage.wim doesn't double its size 
but instead increases it only by the size of the circuit-emulation 
software. 

Now, understand that you'd never see what I've called an IOU; 
if you were to apply the second image to an empty machine, noth¬ 
ing would be lacking. The savings comes solely from a space-stingy 
algorithm. The /append option takes all the options you've already 
learned for /capture, so it's easy to use. 

Suppose you've forgotten what images are in a .wim file. In that 
case, you can use the ImageX /info command, as in 

imagex /info salesimage.wim 

ImageX will then tell you how many images the .wim contains, 
as well as a bit about each image. (The output is a bit ugly, but it 
serves.) More on handling multiple-image .wim files next time! ^ 
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Otey 

"Unlike the iPhone, which is locked into 
AT&T, Windows Phone 7 takes a carrier-neutral 
approach that will let Windows Phone 7 
be used with many different carriers." 


Windows Phone 7 Enterprise Features 

Many security features as well as carrier and device choice make this 
a good option for businesses 


othing is hotter than the mobile device space, and 
the release of Windows Phone 7 just turns up the 
dial. Microsoft put on a Windows Phone 7 launch 
event to introduce its new smartphone OS on 
October 11, 2010, with AT&T as the initial carrier. 
The phone platform joins Apple's iPhone, Google's 
Android devices, and RIM's Blackberry as one of the four best 
smartphone choices. In this column, I'll look at some of the main 
enterprise-oriented features in Windows Phone 7. 

O Password security —Security is one of the most important 
features for enterprise devices, and password security is the 
most basic level of security for controlling access to the 
device. Windows Phone 7 supports device security using pass¬ 
words and PINs. 

O Device security —In addition, Windows Phone 7 provides 
several levels of device security. Windows Phone 7 doesn't 
allow you to access data on the phone by linking it to a 
computer. There's also no support for SD cards that can be 
removed from the device. 

O Central policy management —Windows Phone 7 sup¬ 
ports the basic IT management policies through Exchange 
ActiveSync (EAS), such as requiring passwords and 
enforcing different levels of password strength, as well as the 
ability to remotely wipe the device and to restore its original fac¬ 
tory settings after multiple failed unlock attempts. However, ini¬ 
tially there isn't the ability to manage Windows Phone 7 through 
System Center. 

O Secure data communications —The transmission of data 
from Windows Phone 7 is encrypted using 128-bit or 256-bit 
SSL encryption. Windows Phone 7 also supports secure 
access to on-premises applications and network resources by using 
Microsoft's Forefront Universal Access Gateway (UAG). 

O Application isolation —All Windows Phone 7 applications 
are created using managed code, which ensures that the 
applications won't corrupt the underlying OS. In addition, 
Windows Phone 7 applications can't directly access the file system 
or other system resources. Developers must use APIs to access 
these types of system resources. Microsoft supplies a free Visual 
Studio 2010 Express for Windows Phone SDK, which enables the 


development of Windows Phone 7 applications using either C# or 
Visual Basic. You can get the SDK from Microsoft's website at www 
.microsoft.com/express/phone. 

O Isolated storage —Each application that runs on Windows 
Phone 7 can have its own storage area that's completely 
separate from the storage used by the phone OS or other 
Windows Phone 7 applications. This storage architecture keeps 
applications from inadvertently affecting the operations of other 
applications or of the phone itself. 

O Multiple carriers —Unlike the iPhone, which is locked into 
AT&T, Windows Phone 7 takes a carrier-neutral approach 
that will let Windows Phone 7 be used with many different 
carriers. Although the smartphone platform's initial debut was 
with AT&T, Microsoft has formed partnerships with all of the major 
US network carriers as well as many international carriers. 

O Multiple device choices —Microsoft has long refuted the 
claim that the company would produce the phone itself, 
and with the release of Windows Phone 7, the company's 
stance has been proven. Like Google's Android devices—but 
unlike the iPhone—Windows Phone 7 phones will be manufac¬ 
tured by multiple device makers, including HTC, Dell, and 
Samsung. 

O Support for multiple Exchange Server mailboxes— 

Windows Phone 7 lets users synchronize their phone with 
multiple Exchange accounts using EAS. Windows Phone 7 
can sync with Exchange 2010, Exchange 2007, and Exchange 
Online. In addition, Windows Phone 7 supports connectivity to 
POP3 and IMAP mail accounts. 

Mobile Office apps —Mobile versions of the Microsoft 
Office apps were a feature I used in Windows Mobile and 
might be the only thing I miss now in the Android phone I 
currently have. Windows Phone provides a mobile edition of 
Microsoft Office, including Word, Excel, PowerPoint, OneNote, 
and SharePoint, which is integrated with the Office hub. ^ 

InstantDoc ID 128845 
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Systems Management and Compliance 

Yet Another 10 Free Tools for System Administrators 

Audit Active Directory and file servers, detect inactive users, block USB devices, and more - for free 

The following freeware fools by Windows IT Pro Community Choice Awards finalist NetWrix 
Corporation can save you a lot of time and make your network more efficient - at absolutely no cost. 
Some of these tools have advanced commercial versions with additional features, but none of them 
will expire and stop working when you urgently need them. 

L Active Directory Change Reporter (Windows IT Pro Sep'09: InstantDoc ID 102446, Windows IT Pro Jan'09: In¬ 
st ant Doc ID 100593, TechTarget: wwvv.tinyurl.com/38jna3n) — This is a simple auditing tool to keep tabs on what’s going 
on inside Active Directory, The tool tracks changes to users, groups, OUs, and other types of AD objects, and sends sum¬ 
mary' reports with full lists of what was changed and how it was changed* In addition, it has a nice “rollback’' feature that 
helps rollback unwanted changes (including deletions) very quickly* Download link; www.tinyurl.com/32xhp28 

Z USB Blocker (Windows IT Pro Nov’09: InstantDoc ID 102860) — Users bring tons of consumer devices: Rash drives, 
MP3 players, cell phones, etc., into the office and this aptly-named tool can block them with a couple of mouse clicks to 
prevent the spread of a virus and to restrict the take-out of confidential information. The product is integrated with Active 
Directory and is very easy to use. Download link: www.tinyurl.com/33sln47 

3 . Password Expiration Notifier (Redmond Magazine Feb’09, 4sysops: www.tinyurl.com/32heesb) — This tool will 
automatically remind users to change passwords before they expire to keep you safe from password reset calls* It w r orks 
nicely for users who don't log on interactively and, thus, never receive standard password change reminders at log on time 
(e,g„ VPN and OWA users)* Download: www.tinyurl.com/3533jss 

4 . Inactive Users Tracker (MS TechNet Magazine May’08: www.tinyurl.com/3yqpur9) — This feature tracks down 
inactive user accounts (e.g., terminated employees) so you can easily disable them, or even remove them entirely, to 
eliminate potential security holes. The tool sends reports on a regular schedule, showing what accounts have been inactive 
fora configurable period of time (e.g., 2 months). Download link: www.tinyurl.com/3xbvub3 

5. File Server Change Reporter (4sysops.com: www.tmyurl.com/32ztpk0) — This tool enhances the line of auditing 
tools; this one for file servers* File Server Change Reporter detects changes in files, folders, permissions, tracks deleted, 
and newly-created files, and sends daily summary reports* This is a very useful tool to detect mistakenly-deleted files and 
recover from backup or to see if someone changes some important files. Download link: www.tinyurl.com/37yq5hii 

6. Active Directory Object Restore Wizard (4sysops.com: www.tinyurl.com/3ywx8rz ) — This tool can save the day 
if someone accidentally (or intentionally ) deleted a bunch of Active Directory objects* It provides granular object-level 
and even attribute-level restore capabilities to quickly rollback unwanted changes (e.g*, mistakenly deleted users, modified 
group memberships, etc)* Download link: www.tinyurl.com/36cqbuy 

7. VMware Change Reporter (Tec hTargct/S care h Virtual Desktop; www.tinyurl.com/33mgxpk) — If you don’t know 
what is being changed by your colleagues in the VMware infrastructure, it’s very easy to get lost and miss changes that 
can affect the things for which you are responsible. This tool tracks and reports configuration changes in VMware Virtual 
Center settings and permissions. Download link: www.tinyurl.com/3823r2c 

8 . Windows Service Monitor {WindowsReference.com: www.tinyurl.com/36vohbt) — This very simple monitoring 
tool alerts you when some Windows service accidentally stops on one of your servers. The tool also detects services that 
fail to start at boot time, which sometimes happens, for example, with Exchange Server. 

Download link: www.tiiiyurl.com/378y7t2 

9. Bulk Password Reset (reviewed by SoftPedia: www.tinyurl.eom/3ax386r) - While most companies have strong 
password policies for their employees, one critical issue is still neglected: local Administrator passwords on all servers are 
usually managed in a “set and forget” fashion, sometimes using some “well-known” passwords, opening a major surface 
for security attacks. The Bulk Password Reset tool quickly resets local account passwords on all servers at once, making 
them more secure. Download link: www.tinyurl.com/2v6vzyw 

10* Disk Space Monitor (MS TechNet Magazine Sep'09: www.tinyurl.com/35dmgyt) — Even wfith today’s terabyte- 
large hard drives, server disk space tends to run out quickly and unexpectedly* This simple monitoring tool will send you 
daily reports regarding all servers that are running low on disk space, below f the configurable threshold. 

Download link: www.tinyurl.com/34x5aq9 
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READER TO READER 


Thwart Hackers with a Dummy 
Domain Administrator Account 

When you set up an Active Directory 
(AD) domain, it automatically 
creates an Administrator account 
for that domain. Because the 
domain Administrator account 
is responsible for controlling all 
the objects in the domain, it's a 
common target for malicious activ¬ 
ity. You can tighten your domain's 
security by changing the name of this 
account and putting a dummy account in 
its place. This is simple to do: 

1. Rename the domain Administra¬ 
tor account to something else, such as 
DOM-ADMIN. Changing the name won't 
affect the account's default permissions 
or rights. 

2. Create a non-administrator account, 
name it Administrator, then disable this 
dummy account. 

3. Set up auditing for failed security 
events for the newly created dummy 
account. 

Once the dummy account is being 
audited, you should periodically check the 
event logs for failed security events. The 
events will most likely be due to 

• Someone trying to hack your domain— 
Unaware of the name change, hackers 
will use the default name Administrator 
in their malicious attempts. 

• Incorrectly configured applications—If 
someone has incorrectly configured an 
application (e.g., backup software) to 
use the domain Administrator account, 
the application will start to fail after 
the name change and generate failed 
security events. 



Paul Lemonidis 


No matter whether a failed security event 
is due to a malicious attack or an incor¬ 
rectly configured application, you have 
a problem. 

Note that every member 
server and client has a local 
Administrator account, so setting 
up a dummy domain Adminis¬ 
trator account won't pro¬ 
tect the member servers 

_ or clients. However, 

you can set up dummy 
accounts for local Administrator accounts, 
as well. 

—Paul Lemonidis, messaging specialist, 
Tower Hamlets Council 

InstantDoc ID 128813 

Using Mount Points in My 
Documents 

Many programs that run on Microsoft Win¬ 
dows OSs default their Save As dialog boxes 
to your Documents or My Documents 
folder. The actual location of the direc¬ 
tory is usually the C:\Users\<UserName>\ 
Documents folder in Windows Vista 
and later or the C:\Documents and 
Settings\<UserName>\My Documents 
folder in Windows XP and earlier. 

If you're like me and keep certain files 
on other drives (e.g., F drive, G drive), the 
My Documents landing spot causes extra 
work. For example, if you want to save a 
file to a folder on the G drive, you have 
to scroll up from the default Documents 
folder, collapse the C folder tree, and 
expand the G folder tree before you can 
navigate to the desired folder. Fortunately, 
Windows 2000 and later provides a utility 
called Disk Management (diskmgmt.msc), 
which you can use to create mount points. 


Tell the IT community about the free tools you use, your solutions to problems, 
or the discoveries you've made. Email your contributions to r2r@windowsitpro.com. 
If we print your submission , you'll get $ 100. 

Submissions and listings are available online at www.windowsitpro.com. 

Enter the InstantDoc ID in the InstantDoc ID text box. 


By creating a mount point that maps 
to an empty NTFS folder on an existing 
partition/drive letter, you can create a 
"shortcut." I found this to be a handy way 
to simplify navigation from the default 
document store on the C drive to a drive 
that I prefer, saving me time and clicks. 

Here's how to create a mount-point 
shortcut: 

1. Open the Disk Management utility. 
Highlight the G drive/partition, right-click 
it, and select Change Drive Letter and Paths. 
In addition to seeing the current drive 
letter assignment of G: in the Change Drive 
Letter and Paths dialog box, you'll see an 
Add button. Click this button to open the 
Add Drive Letter or Path dialog box. 

Many programs 
that run on Micro¬ 
soft Windows OSs 
default their Save As 
dialog boxes to your 
Documents or My 
Documents folder. 

2. In the Add Drive Letter or Path dialog 
box, make sure the Mount in the following 
empty NTFS folder option is enabled. Click 
the Browse button and navigate to the C:\ 
Users\<UserName>\Documents folder 
(Vista and later) or the C:\Documents and 
Settings\<UserName>\My Documents 
folder (XP and earlier). Highlight that folder 
and click the New Folder button to create a 
new folder. Name it 1 G and click OK. In the 
Mount in the following empty NTFS folder 
field, you'll now see C:\Users\<UserName>\ 
DocumentsM G (Vista and later) or C:\ 
Documents and Settings\<UserName>\My 
DocumentsM G (XP and earlier). Press OK to 
exit the Add Drive Letter or Path dialog box. 
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3. In the Change Drive Letter and Paths 
dialog box, you should now see the C:\Users\ 
UserName\Documents\l G entry in addition 
to the G: entry. Click OK to close the 
dialog box, then close the Disk Man 
agement utility. 


Now when you open a Save 
As dialog box in a program, it 
will open to Documents or My 
Documents, but you'll see 1 G 
at the top of the Documents or My 
Documents folder tree. Figure 1 shows 
the Save As dialog box in Microsoft Word 
2010. Click 1 G and you're immediately 
on the G drive/partition. By this time, you 
probably realize why the mount folder's 
name begins with the number 1 followed 
by a space—it causes the mount folder to 
be at the top of the folder list. 

One last note about mount points: If 
you open the Windows Help and Support 
program in Windows 7 or Vista and search 
for mount volume , you'll see the Help 
article "Mount or dismount a drive." At the 
bottom of this article, there's a note that 
says, "The Recycle Bin does not recognize 
mounted drives, so if you try to delete a 
file that's stored in a mounted drive, you 
might receive an error. To bypass the Recy¬ 
cle Bin and permanently delete the file, 
click the file, and then press Shift+Delete. 
When you permanently delete a file, you 
can't recover it unless you have a current 
backup copy of the file." 

Based on my testing on Windows 7 and 
Vista, that isn't correct. I've had no prob¬ 
lems deleting files on a mounted drive by 
right-clicking a file and selecting Delete. 

In addition, I've been able to restore those 
deleted files in the Recycle Bin by right- 
clicking a file and selecting Restore. 

You can make a mount-point short¬ 
cut in Documents or My Documents (or 
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Figure 1: Microsoft Word's Save As dialog box showing the 
1 G mount point 


elsewhere for that matter) for as many 
drives as needed. For more information, 
see the "Volume Mounts Points" section in 
the Windows 2000 Resource Kit article 
"Disk Management" at technet 
.microsoft.com/en-us/library/ 
cc960726.aspx. I hope mount 
points can save you some time 
and clicking. 

—Bret A. Bennett, IT consul¬ 
tant, West Palm Beach 
InstantDoc ID 128817 
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Service Accounts Can Be Secure Yet 
Have Non-Expiring Passwords 

Deny logon locally is a Group Policy Object 
(GPO) setting that should be used for all 
service accounts because it shuts down 
one avenue of exploitation—an interactive 

Most security teams 
frown on allowing 
accounts with non¬ 
expiring passwords 
to exist, but it's 
often near impos¬ 
sible to do without 
having some. 

logon (e.g., a logon using Ctrl+Alt+Del) to 
a system with that account. Most security 
teams frown on allowing accounts with 
non-expiring passwords to exist, but 
it's often near impossible to do 
without having some. One of 
the biggest concerns people 
have is that the account could 
be used anywhere on the 

network, leading to 
abuse of it. To satisfy 
security teams and 
auditors, I came up with a 
simple way to comply with this 
security practice but still have 
service accounts with pass¬ 
words that don't expire. Here's 
what you need to do: 

1. In the AD domain, create 
a security group named some¬ 
thing like DenyLogonsLocal. In 



this new group, you'll want to include the 
IDs that you're planning to run a service or 
a process with but don't need to be used 
to interactively log on to any machine in 
the domain. 

2. From a machine on which the 
Group Policy Management Console 
(GPMC) is installed, create a GPO. You can 
disable User Configuration because it's not 
needed. 

3. Navigate to Windows SettingsX 
Security Settings\Local PoliciesMJser Rights 
Assignments\Deny logon locally. Enter the 
security group you created in step 1, and 
save the GPO. 

4. Make sure the GPO is set to authen¬ 
ticated users. Because all the computers 

in the domain are part of authenticated 
users, it will apply to all workstations and 
servers. 

5. Link this GPO at the domain level 
with no override (ensures someone doesn't 
undo your work at a lower-level organi¬ 
zational unit—OU) and with Computer 
Configuration enabled. 

6. Allow time for the workstations 
and servers to apply the new GPO, then 
attempt to do an interactive logon from 
a workstation or server using one of the 
IDs you made a member of the security 
group created in step I.The logon attempt 
should fail. 

7. If you have more than one domain, 
you can put groups from the trusted 
domain in the GPO. However, you might 
want to make a GPO like this on both sides 
(in case of two-way trusts). 

I recommend that you only grant the 
access an account needs rather than 
automatically giving it Admin¬ 
istrator access, as the majority 
of services and processes can 
be run without Administrator 
access. For those accounts that 
need Administra¬ 
tor access, you can 
still add IDs in local 
administrator groups 
on servers or on workstations to support 
your process and know the IDs can't be 
used for interactive logons. In the end, 
both the IT and security teams are closer 
to a more secure environment. ^ 

—Kevin Willenborg, Lead Directory Services 
InstantDoc ID 128799 
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environments 
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■ PKI ■ BitLocker 

■ ESX Server ■ System Center 

■ Migration 


ANSWERS TO YOUR QUESTIONS 



Q: Is it true that the standard 
edition of Windows Server 2008 R2 
public key infrastructure (PKI) can 
issue v2 and v3 certificates? 

A: Yes. Before Server 2008 R2, only 
Enterprise and Datacenter editions could 
issue v2 and v3 certificates, but Server 
2008 R2 Standard Edition Active Directory 
Certificate Services can issue v2 and v3 
certificates. This is great for small business 
server organizations. The standard edition 
also now supports auto enrollment and 
key archival. 

—John Savill 

InstantDoc ID 126102 

Q: How do I create a DHCP scope in 
Windows Server 2008 and Server 
2008 R2? 

A: DHCP is a key service to enable the 
dynamic allocation of IP addresses to your 
network. Without DHCP, each machine 
has to be manually configured with an IP 
address, gateway, and DNS information. 
This might work for a small number of 
servers, but in any sizable environment, 
the ability for clients to dynamically get IP 
addresses is vital. 


Windows has long had a DHCP service, 
and it has improved with each new 
version. In Server 2008 and later, DHCP 
is a server role that's added through 
Server Manager. Once you've added the 
DHCP Server role, you need to config¬ 
ure a scope—a set of IP addresses the 
DHCP service can allocate from to give 
to requesting clients. It's important that 
the DHCP scope you define consists of IP 
addresses that aren't used on any machine 
in the network (such as statically defined 
on a server) nor part of a scope on another 
DHCP server. Duplicate IP addresses in an 
environment will cause major problems, 
and it's always good practice to have an 
IP allocation scheme and tracking. Some 
organizations use IP addresses 10-50 
of each subnet for servers and printers, 
60-240 for DHCP clients, and so on. 

Once the DHCP Server role is installed, 
you need to authorize the DHCP server 
by navigating to the DHCP Server role in 
Server Manager, selecting the server, and 
selecting Authorize. You can now create a 
scope. 

1. Navigate to DHCP Server, <server>, 
IPv4. 

2. Select New Scope from the actions. 

3. Click Next to go to the introduction 
wizard screen. 

4. You'll be prompted for a name 
for the scope and a description. Make it 
meaningful, such as the IP addresses in the 
scope, and click Next. 

5. Enter the starting IP address, the 
ending IP address, and the subnet mask 
detail and click Next. 

6. You can now add specific IP address 
ranges that should be excluded from the 
scope. Maybe you have some servers 



ASK THE EXPERTS ■ 



Q: What are the pagefile 
recommendations for Hyper-V 
servers? 

Al Typically, it's recommended 
that pagefiles be the same size as 
a system's total RAM. However, in a 
Hyper-V server with 128GB of RAM 
(which is mainly being used by VMs), 
do you need a 128GB pagefile? No, 
you don't need that much in the par¬ 
ent because the parent doesn't use it. 
So, what should you use? A good rule 
is to use a pagefile size of 8GB, which 
will allow kernel dumps from the par¬ 
ent when needed. 

—John Savill 

InstantDoc ID 126075 


that have IP addresses within the range 
you're allocating to DHCP, which therefore 
shouldn't be given to clients. You can also 
set a delay time, which is the amount of 
time the DHCP server will wait before 
responding to DHCP requests. Click Next. 

7. Set the length of time for the IP 
address lease. The longer the lease time, 
the less frequently machines can renew the 
address—but that means clients keep the 
address longer. If you have a lot of through 
traffic of machines on the network, you 
don't want those machines keeping the 
lease for long, because your scope will run 
out of addresses. Set a small lease, maybe a 
day. Click Next. 

8. You can configure DHCP options, 
such as default gateway, DNS servers, WINS 
servers, etc. Or select No and set them 
later, or at a server level (for things like DNS 
server etc). Default gateway will likely be 
different for each scope. Click Next. 

9. Click to activate the scope. 

10. If you wanted to select items like 
DNS and WINS at the server level, the 
settings apply to all scopes on the server. 
Select Server Options and you can set 
global options. 

Once you have DHCP configured, you can 
run 
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Upgrading hundreds or 
thousands of desktops to 
Windows 7 can be costly 
and time-consuming. 
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Windows 7 Migration Kit. 
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Technical Tips for 
Evaluating VMwareThinApp 
for Win 7 Migration 


Migrating users and their critical applications to Windows 7 is a process fraught with gotchas. Need 
to run Office 2007 and Office 2010 side-by-side on the same machine conflict-free before you flip 
the switch and transition your users to one version? Gotcha! Have Web apps that only run in IE6? 
Gotcha! Trying to run your favorite Java applet in 64-bit Win7? Gotcha! ThinApp gets you past these 
and other Win7 migration gotchas by letting you encapsulate apps in self-contained executables or 
MSI's for easy distribution and use without any conflict or suffering from Win7 "application 
obsolescence." 


O 


O 

o 


Start with a clean copy ofWindows XP when using theThinApp Setup Capture tool, to ensure 
that the resulting package runs smoothly under Windows XP and Windows 7. You can run 
Setup Capture from a mapped network drive that also serves as a repository for all of the 
VMwareThinApp binaries and application packages.This eliminates the need to copy 
anything onto the clean Windows XP hard drive. 

Use an SP2 version ofWindows XP as the target for theThinApp Setup Capture tool. This 
ensures that the application installer automatically includes any updated DLL or other system 
files, because these will not be present in an older OS image. 

Test a use case of a kiosk PC by deploying ThinApp packages on"locked-down"PCs and allow 
end users to run the applications without creating security exposures. Because applications 
are executed in user mode, users do not require administrative rights. 


o 


Deploy, maintain, and update virtualized applications on USETthumb drives"that let users 
safely run applications anywhere, a public Internet station, or a third party's desktop or 
notebook machine. Running applications from a USB drive on multiple unmanaged devices 
represents the ultimate solution for portability. 


O 


Support IE6 Web apps on Win 7 32-bit and 64-bit desktops. IE6, IE7, and IE8 all have extensive 
user bases, yet it's impossible to test all three versions on a single Windows OS. The most 
reliable testing method is to use three separate PCs. And running IE6 natively on Win7 is 
impossible. Win7's"XP Mode"is resource intensive for most user systems. Use ThinApp to 
virtualize IE 6 for deployment on Windows 7 to run side by side with another natively installed 
IE version. See http://kb.vmware.eom/kb/1026565 for step-by-step instructions. 
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VMware ThinApp Streamlines the Application Life Cycle 


Update / upgrade 

Apps locally or over a network 
from a single image. 

Migrate 

Legacy Win XP apps to 
Windows 7 to extend apps life! 


Deploy 

Apps using existing 
management tools and 
infrastructure. 


Develop 
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Package 

Apps inside EXE and 
MSI files with no 
source changes 
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Apps against desktop 
Images and other apps. 
Virtualized apps behave the 
same on different environments. 
Reduce testing time! 
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Utilize ThinApp's unique newThinDirect functionality to direct URLs to the appropriate virtual 
or native browser for web application/web browser compatibility. This can be done during 
the Setup Capture process or managed dynamically via GPO. See the following kb articles for 
step-by-step instructions on utilizing ThinDirect. http://kb.vmware.com/selfservice/microsites/ 
search.do?language=en_US&cmd=displayKC&externalld=1026566. 

UseThinApp's AppLink (application link) feature to configure relationships between runtime 
components such as Java, .NET, ODBC, or your own inter-dependent applications. You can then 
deploy components separately, avoiding the need to update the entire package set every time 
one component changes. You can optionally require specific components at run time, so that 
the primary application won't launch if it can't connect to the required linked components. 

Deliver application updates to unmanaged desktops on slower remote networks, using 
ThinApp's AppSync (application sync) feature. AppSync transfers only the "delta,"or 
differences, between a new app version and the one already deployed, letting you easily 
update applications even on unmanaged machines over the internet. Administrators can 
force a check for update or specify a time interval for when the application will cease 
functioning if it has not "phoned home". 

Use Active Directory to limit who can run yourThinApp packages. You can add and remove 
ThinApp-authorized users from AD groups to control access to encapsulated applications, 
while embedding specific AD-enforced access control into the package. This lets you freely 
distribute a package without compromising control, because access control is embedded 
inside the package even if it is later moved to a different device. 

Employ VMware View's Integrated Application Assignment to roll out ThinApp packages to 
pools of desktops in a streamlined deployment. You create an Application Assignment 
template to collect multiple application packages for streamlined deployment. You can 
specify whether packages are deployed into the VM's or streamed from a Windows fileshare. 
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■ ASK THE EXPERTS 


ipconfig /renew 

on your clients and they should get an 
IP address from your DHCP server. You 
can see the address with the Ipconfig 
command. 

—John Savill 

InstantDoc ID 128803 

Q: How Do I Copy Outlook Data to 
Another Application? 

A: For any version of Microsoft Outlook, 
you can capture the data within a view 
and then copy and paste to transfer that 
content to another application. While this 
might seem trivial, it really isn't. Try it with 
another email client like Zimbra Desktop. 

It isn't even an option. 

Most email applications require some 
data query followed by an export com¬ 
mand, sometimes with output that needs 
to be further manipulated before it can 
be used. With Outlook, you can easily 
manipulate the columns in the main Ul to 
present the data you want to copy. 

When Microsoft implemented the 
vertical reading pane in Outlook 2003, it 
changed how the main window content 
was displayed. Outlook 2007 set the verti¬ 
cal reading pane as the default. Because 
of the limited amount of horizontal 
screen space, Microsoft compressed the 
visible presentation by hiding all but the 
most common columns a user would 
need. When the width of the main Ul is 
expanded, the presentation changes to 
show the exact columns in the main Ul. 
This is easily done when you drag the 
right edge of the main window pane until 
the columns set, or when you remove the 
reading pane altogether. 

You can highlight and copy the con¬ 
tent using either right-click and Copy or 
by pressing Ctrl+C. Of course, if you want 
to copy more than is visible on the screen, 
you can either Keep Ctrl pressed while you 
scroll, or use Shift+Page Down to highlight 
blocks of content, or Shift+End to append 
the rest of the content after the initial 
selection. 

When you copy the content from Out¬ 
look, it retains some formatting with OLE, 
including spacing between the column 
items. You can see this using a Clipboard 
content viewer. In Windows XP and Vista, 


there's a utility called clipbrd.exe found in 
\windows\system32\. Windows 7 doesn't 
have a comparable utility, but there's 
freeware available that can do this, such as 
ClipMagic. When you paste this content to 
another application, the destination appli¬ 
cation may be smart enough to separate 
the columns by recognizing space between 
fields. Excel will write data across multiple 
columns based on that formatting. 

In the main Outlook Ul, the data 
displayed in the primary mail pane is a 
subset of the possible information that 
can be presented. With the reading pane 
turned off and the mail data in columns, 
you can easily control what information is 
viewed. If you right-click somewhere on 
the column headings to reveal the context 
menu, you can then select Field Chooser. 
Alternatively, in Outlook 2010, you can 
select View, Add Columns for another ver¬ 
sion of the same tool. 

With the Field Chooser, you can drag 
and drop individual column headings 
from the Field Chooser window to the 
column bar in the order you want to view 
them; whereas the Add Columns interface 
provides the familiar option of selecting 
one or many column headings and click¬ 
ing the arrow to add a column heading to 
the column list. 

The order of the columns for the Add 
Column dialog box is controlled by drag¬ 
ging the column heading in the right pane 
of the window up or down or by selecting 
a column you want to move and then 
clicking either the Move Up or Move Down 
buttons at the bottom as needed. When 
you click OK at the bottom of the Add 
Column box, the changes are applied to 
the Outlook view. 

So why is this valuable? The Field 
Chooser (and Add Column option) has 
numerous columns that could provide 
valuable information for reporting or shar¬ 
ing. This applies to other categories in addi¬ 
tion to mail. By default, the Field Chooser 
lists the Frequently Used fields; however, 
there are many fields or columns available 
for the different Outlook data types—Mail, 
Contacts, Appointments, Tasks, and more. 

Outlook data can be copied directly 
from the Outlook interface in table format 
to be pasted in other applications. This 
form of data retrieval from Outlook works 
the same with the list views of Contacts, 


Calendar, and other Outlook folders. 
Copying and pasting Outlook data this 
way makes it easy for users to move data 
to other applications without being con¬ 
cerned with Import/Export options.This 
can be used to move specific Outlook data 
using copy and paste to other solutions for 
reporting, archiving, querying, or manipu¬ 
lating outside of Microsoft Outlook. 

—William Lefkovics 

InstantDoc ID 126084 

Q: Why would I use BitLocker on a 
device without the requirement to 
enter a PIN or a USB device? Does 
it just protect against someone 
removing the hard disk from the 
machine? 

At The Full Volume Encryption Key 
decrypts protected volumes. It's stored 
in the Trusted Platform Module (TPM), 
which is part of a computer's hardware. If 
someone steals the whole machine, that 
person has the TPM and the disk together. 
So, if no PIN input or USB device presence 
is required, the thief now has full access 
to the machine. In this case, BitLocker has 
done nothing to help you, right? No, that's 
where you're wrong. 

BitLocker is designed to protect the 
data "at rest." In the scenario above, the thief 
would be able to turn the laptop on and 
the OS would boot, but it would boot into 
the normal Windows secure logon screen, 
at which point the thief wouldn't be able 
to do anything without logon credentials. 

If the thief tried to boot the machine from 
Linux or another OS to access the NTFS 
volume outside of Windows, the early Win¬ 
dows boot code that interacts with the TPM 
and decrypts the drive wouldn't be called, 
so the volume would still be encrypted 
with BitLocker and unreadable. 

Obviously, it's normally recommended 
that you use a PIN or USB key with part of 
the code, which would stop the OS from 
even booting. But don't think that Bit¬ 
Locker without these configured options 
gains you nothing. You're still protecting 
the volumes from attack outside of the 
Windows OS, and the intruders would 
only gain access to a logon screen with no 
credentials. 

—John Savill 

InstantDoc ID 126033 
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Table 1: Hyper-V Dynamic Memory Balancer performance counters 

Performance Counter 

Description 

Added Memory 

The cumulative amount of memory added to VMs. 

Available Memory 

The amount of memory left on the node. 

Average Pressure 

The average pressure on the balancer node. 

Memory Add Operations 

The total number of add operations. 

Memory Remove 
Operations 

The total number of remove operations. 

Removed Memory 

The cumulative amount of memory removed from VMs. 


Q: What are the new performance 
counters in Hyper-V R2 SP1 that 
measure dynamic memory? 

A! Adding SP1 to a Hyper-V R2 server 
adds the new dynamic memory feature. 
You should first know a little bit about 
how this feature works. 

As you can imagine, to figure out how 
much memory a virtual machine (VM) 
requires, you'll need monitoring data.That 
monitoring data provides information to the 
memory balancer that lets it make decisions 
about which VMs need more or less RAM. 

Thankfully, that monitoring data is also 
exposed to a Hyper-V host's Ul inside Per¬ 
formance Monitor. Two counter groups are 
available. The first, Hyper-V Dynamic Mem¬ 
ory Balancer, provides host-level informa¬ 
tion about the behaviors of the memory 
balancer itself. That counter group has six 
counters, shown in Table 1. Each running 
VM will also provide information into the 
second counter group, Hyper-V Dynamic 
Memory VM. This counter group provides 
information to the memory balancer func¬ 
tion that enables it to accomplish its tasks. 
Ten counters are present in this group, as 
Table 2 shows. While this information is 
intended primarily for consumption by the 
memory balancer, it can also provide use¬ 
ful data about how your VMs are process¬ 
ing their workloads. 

For example, if your numbers of 
Memory Add Operations and Memory 
Remove Operations are high, this means 
that the level of memory used by that VM 
is seeing a high level of change. This can 
occur due to processes that are starting 
and stopping, or processes that are rou¬ 
tinely requiring different levels of memory 
for their tasks. 

—Greg Shields 

InstantDoc ID 125977 


Q: I'm trying to deploy Windows 
Server 2003 using a WIM file, but 
when I deploy the WIM file the 
boot sector created is the Server 
2008 version. What's wrong? 

A! You're probably using the Windows 
Server 2008/Windows Vista or later 
Windows Preinstallation Environment (PE) 
with the bootsect.exe command. This will 
deploy the Server 2008/Windows Vista 
NTFS boot sector. To deploy the Windows 
2003 NTFS boot sector, use bootsec.exe 
with the /nt52 switch. 

—John Savill 

InstantDoc ID 126034 

Q: In VMware High Availability 
(HA) Admission Control policies, 
what does Host failures cluster 
tolerates mean? 

At You might be asking yourself exactly 
how many resources get set aside when 
Admission Control is enabled.The answer 
depends on which Admission Control 
policy you select. Three policies become 


available upon enabling Admission Con¬ 
trol. Those policies are Host failures cluster 
tolerates, Percentage of cluster resources 
reserved as failover spare capacity, and 
Specify a failover host. I'll talk about the first 
of these in this Q&A and save the others 
for my article "Configuring High Availabil¬ 
ity in VMware vSphere 4.1," page 45. 

Staff in most environments are likely to 
choose the first of these policies and set 
its value to 1. While confusingly named, 
this policy in fact sets aside a quantity of 
resources that are equal to one cluster 
host's contribution. Thus the name Host 
failures cluster tolerates. 

Your reason for using this policy has 
to do with the amount of host failure 
protection you'll likely want. In a small 
ESX cluster of only four hosts, Admission 
Control might set aside 25 percent of 
the cluster's total resources—25 percent 
represents one host's resource contribu¬ 
tion. On the other hand, a cluster of 10 
hosts might need only 10 percent of its 
total resources. 

Atypical midsized cluster will rarely 
see more than a single host perish at 
a time. If you set this policy's value to 
1, Admission Control will always moni¬ 
tor how much processor and memory 
resources are available throughout the 
entire cluster and reserve one host's 
worth as unused. If your cluster is bigger, 
the probability that more than one host 
will die simultaneously goes up. In that 
case, you might consider raising this value 
to 2 or more. 

It's important to recognize that clusters 
with different kinds of servers pay an 


Table 2: Hyper-V Dynamic Memory VM performance counters 

Performance Counter 

Description 

Added Memory 

The cumulative amount of memory added to the VM. 

Average Pressure 

The average pressure in the VM. 

Current Pressure 

The current pressure in the VM. 

Guest Visible Physical 
Memory 

The amount of memory visible in the VM. 

Maximum Pressure 

The maximum pressure band in the VM. 

Memory Add Operations 

The total number of add operations for the VM. 

Memory Remove 
Operations 

The total number of remove operations for the VM. 

Minimum Pressure 

The minimum pressure band in the VM. 

Physical Memory 

The current amount of memory in the VM. 

Removed Memory 

The cumulative amount of memory removed from the VM. 
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unexpected burden. Admission Control 
policy wants to protect against any host 
failing, which really means the biggest 
host failing. As a result, this setting will set 
aside a quantity of resources equal to that 
biggest host's contribution.This behav¬ 
ior means that clusters with dissimilar 
hardware will always lose the contribu¬ 
tion of their most powerful host. Plan 
accordingly! 

—Greg Shields 

InstantDoc ID 126068 

Q: Do I need to defrag a BitLocker- 
protected volume? 

A: Absolutely. Encryption is performed 
sector by sector, and defragmentation is 
too. Defragging will still help reduce non¬ 
contiguous reads. 

—John Savill 

InstantDoc ID 126077 

Q: I have an error with a Micro¬ 
soft Application Virtualiza¬ 
tion (App-V) OSD file. It's been 
removed, but I still can't launch 
the virtualized application. Why 
not? 

At When App-V hits a problem with a 
malformed OSD file, it tracks the bad 
OSD in the registry at HKEY_LOCAL_ 
MACHINE\SOFTWARE\Microsoft\ 
Softgrid\4.5\Client\lgnoredApps. So, if 
you've resolved the malformed OSD, you 
need to delete the string value associ¬ 
ated with the malformed OSD entry 
so that the application will be able to 
launch. 

Note that if you're using a 64-bit 
version of Windows, the registry key is 
H KEY_LOC AL_M ACHIN E\SOFTWARE\ 
Wow6432Node\Microsoft\SoftGrid\4.5\ 


ClientMgnoredApps (note the addition of 
Wow6432Node). 

—John Savill 

InstantDoc ID 126078 

Q: I'm trying to install System 
Center Configuration Manager 
(SCCM) 2007 on a machine that 
doesn't have Internet connectiv¬ 
ity. I need to provide ConfigMgr 
.manifest.cab for the installation, 
but I can't find it for download. 
Where is it? 

At ConfigMgr.manifest.cab contains 
details about updates available for the 
SCCM installation. It's not available as a 
standard download from Microsoft. Instead, 
you need to run a specific command on a 
machine that has Internet connectivity (it 
doesn't have to be a server—I used a Win¬ 
dows 7 desktop).The command downloads 
all the updates and can place them in a 
folder, which you can then direct the setup 
process to use for updates during the SCCM 
installation. 

Navigate to SMSSETUP\BIN\I386 folder 
on your SCCM media from a command 
line and run the command 

setup.exe /download <location> 

where location is where you want to store 
the SCCM updates, such as C:\temp\sccm- 
update. Make sure the download folder 
exists before running the command. Now, 
copy this content to the SCCM server. 
When you're prompted for updates dur¬ 
ing the installation, select the option to 
point SCCM setup to an existing down¬ 
load of the updates. Your installation will 
continue. 


Q: I need 32-bit support for one of 
my Windows Server Core roles. How 
do I add it? 

A! By default, Windows Server 2008 R2 
Server Core has Windows on Windows 
(WoW64) installed. The 32-bit applications 
and tools will work without changes. How¬ 
ever, there are other parts of the OS that 
run add-ins and code that won't natively 
have 32-bit support, so you'll need to add 
an extra WoW64 package after the role or 
feature is added. They're shown in Table 3. 

—John Savill 
InstantDoc ID 126079 

Q: What's the Enhanced Mitigation 
Experience Toolkit (EMET)? 

At In all honesty, this is a tool I hadn't 
heard of until someone asked me about it. 
After some research, I found that it's a very 
easy-to-use tool designed to help protect 
applications from exploits.Typically, when 
an application is compiled, various options 
can be chosen to opt in to certain types 
of security technologies. To change these 
choices, such as to enable Data Execute Pro¬ 
tection, requires a rebuild of the application. 
EMET lets you deploy security capabilities 
to applications without the need to rebuild, 
while giving those applications additional 
security and protection from exploits. 

When you launch the application, it 
shows the technologies enabled on the 
system and the state of running processes. 
It's then possible to configure the system 
or specific applications with the various 
mitigation technologies available. 

If I modify synchro.exe to use all the 
mitigation technologies available, when 
I launch synchro.exe, it's protected using 
those technologies, and I don't need to 
recompile anything. EMET is great for any 
legacy applications that you no longer 
have the source for but that are possibly 
vulnerable to certain types of attack. 
Remember that you're enabling exploit- 
mitigating technologies, so it's possible 
that you'll break some of the application's 
functionality. It's important to test any 
application that you modify using EMET. 

EMET is available for download from 
tinyurl.com/2g63sus. ^ 

—John Savill 
InstantDoc ID 126036 


—John Savill 

InstantDoc ID 126074 


Table 3: Packages for 32-bit support 

Role/Feature 

WoW64 additional package name 

.Net 2.0 

NetFx2-ServerCore-WOW64 

.Net 3 

NetFx3-ServerCore-WOW64 

Failover Clustering 

Fa i 1 ove rC 1 u ste r-Co re-WO W64 

Input Method Editor 

ServerCore-EA-IME-WOW64 

PowerShell 

MicrosoftWindowsPowerShell-WOW64 

Print Server 

Printing-ServerCore-Role-WOW64 

Subsystem for UNIX-based Applications 

SUACore-WOW64 
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The polls have closed! Here are your— 
and our—favorite products of the year 


and 

Community 


by the Windows IT Pro editors 


Most Encouraging IT Trend 

1. Software as a Service (SaaS) 

2. Cloud computing 

3. Hybrid on-premises/doud approaches 

4. Storage virtualization 

5. Increased IT spending 

6. Easier compliance 

7. Increasing competition 

8. Virtualized desktops 

9. Controversy over net neutrality 

10. Free deployment tools from Microsoft 

Least Encouraging IT Trend 

1. Outsourcing 

2. Social media 

3. Cloud computing (another name for "outsourcing") 

4. Increasing number of cyber attacks 

5. Commoditized software 

6. ConsumerizationofIT 

7. Fake SaaS 

8. Tablet PCs 

9. Book learning without field experience 

10. Windows Mobile phones 


Windows IT Pro's annual Editors' Best and Community Choice award programs offer a unique way 
to recognize the hottest products among the past year's offerings. Choosing favorites from such 
a competitive field—not to mention in the midst of such a financially unstable market—can be a 
challenge, but this year's winners show an uncommon breadth of functionality and originality. 

Our Editors' Best program highlights products that Windows IT Pro editors and contributors 
believe are worthy of recognition, whereas our Community Choice program lets our readers 
decide which products are the best. As we did last year—rather than presenting a predefined list of 
products and services that limited your selection to our choices—we opened up the Community 
Choice nomination process to all. We let you nominate your favorite products and services, built 
the voting survey from there, and let everyone participate in the final voting phase. For the Gold 
winners of both Editors' Best and Community Choice, we even reached out to readers and spoke 
to them about how the product or service helps them do their job. We spoke to real users about 
real experiences, and we hope these testimonials benefit you in your environment. 

In these pages, you'll find our Gold, Silver, and Bronze Editors' Best winners in each category 
directly adjacent to our Community Choice winners. Sometimes our editors and readers have 
agreed on favorite products and services in a given category, but more often they haven't. Do you 
agree with the choices our editors have made? Or do the picks that our readers have made carry 
more weight? Let us know! Regardless of whether these winners were chosen by editors or readers, 
you can be sure that all these products are worthy of serious consideration if you're in the market 
for a new tool. 
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Best Active Directory/Group Policy Product 






Editors' Best 

GOLD: 

Active Administrator • ScriptLogic • www.scriptlogic.com 

SILVER: 

Ensim Unify Active Directory Manager • Ensim- www.ensim.com 

BRONZE: 

Active Directory Change Reporter • NetWrix • www.netwrix.com 


Why It Won: Active Administrator consistently 
gets rave reviews from administrators in the 
trenches who appreciate how it simplifies manag¬ 
ing the complex beast that is Active Directory (AD). 

Simplifying management of a multi-domain AD 
environment and improving AD security is key 
for John Daniely, security analyst at the Atlanta 
Journal-Constitution:"Before we implemented 
Active Administrator, it was very difficult and 
time-consuming to determine what changes 


were made in either domain—and by whom— 
when things weren't working as expected. With 
Active Administrator, we're able to easily report 
on any changes made to AD on either domain 
within minutes. We've even set up scheduled 
daily reports that are emailed and stored to 
a secure network location, detailing user and 
group changes, password resets, lockouts, and 
changes to GPOs that can be reviewed for 
suspicious or unauthorized activity."With Active 
Administrator, Daniely says, AD administrators 
can also streamline new user creation and dele¬ 
gate appropriate rights. And when users report 
access problems with company systems, Active 
Administrator's AD object restore capability 
comes to the rescue. 

"Start with the great 
freeware version, but 
know that you'll soon 
be upgrading to the 
rich toolset of Active 
Directory Change 
Reporter's commercial 
version." 


Malware Product 


Best Antivirus and Anti 

Editors' Best 

GOLD: 

Kaspersky Anti-Virus for Windows Workstations • 
Kaspersky Lab • www.kaspersky.com 

SILVER: 

BitDefender Antivirus Pro 2011 • BitDefender • 
www.bitdefender.com 

BRONZE: 

ESET N0D32 Antivirus 4 • ESET • www.eset.com 


Why It Won: Kaspersky Anti-Virus for Windows 
Workstations provides centralized protection 
of workstations on a corporate network from 
malware, potentially dangerous programs, net¬ 
work attacks, and unwanted mail. 

Mike Kavka is a network engineer who uses 
Kaspersky's enterprise antivirus suite. Accord¬ 
ing to Mike, Kaspersky's protection is "superior 
to Symantec,Trend, and McAfee. Overall, it 
uses fewer resources most of the time." In 
addition, he notes that "updates to Kaspersky's 


database happen more frequently than most 
products (sometimes multiple times a day)." 
Although Mike did note some downsides 
to the product, he says that "once tweaked, 
Kaspersky is an excellent security suite, and 
the clients I have set it up for have had a huge 
drop in malware infections." 

Community Choke 

GOLD: 

Symantec Endpoint Protection 11 • Symantec • 
www.symantec.com 

SILVER : 

Endpoint Security and Data Protection • Sophos • 
www.sophos.com 

BRONZE: 

AVG Internet Security • AVG • www.avg.com 

Other hot vote-getters in this year's survey... 

• Malwarebytes'Anti-Malware 

• Kaspersky's Anti-Virus for Windows Workstations 

• Sunbelt Software's VIPRE Enterprise 


Community Choice 

GOLD: 

Active Directory Change Reporter • NetWrix • www.netwrix.com 

SILVER: 

NetlQ Directory and Resource Administrator • NetlQ • www 
.netiq.com 

BRONZE: 

Active Administrator • ScriptLogic • www.scriptlogic.com 

Other hot vote-getters in this year's survey... 
•Centrify's DirectControl 
•ScriptLogic's Desktop Authority 
•Quest Software's ActiveRoles Server 

Best Auditing and 
Compliance Product 

Editors' Best 

GOLD: 

Blackbird Management Suite • Blackbird Group • 
www.blackbird-group.com 

SILVER: 

ChangeAuditor for Active Directory • Quest Software • 
www.quest.com 

BRONZE: 

ELM Enterprise Manager -TNT Software • www.tntsoftware.com 

Why It Won: The Blackbird Management Suite 
provides comprehensive auditing for AD and the 
Windows file system with real-time alerting. 

"The Blackbird Management Suite provides best- 
of-breed auditing for AD and the Windows file 
system," said Michael Otey, technical director for 
Windows IT Pro. "For AD, the Blackbird Manage¬ 
ment Suite provides auditing, protection from 
unwanted changes, and change management 
with workflow. For the Windows file system, it 
enables the administrator to track who, what, 
where, when for all file-system changes. Real-time 
alerts can notify the administrator about changes 
to any critical components. It's a great product." 

Community 
Choice 

GOLD: 

NetWrix Change Reporter Suite • 

NetWrix • www.netwrix.com 

GOLD: 

Enterprise Vault - Symantec - 
www.symantec.com 

BRONZE: 

NetlQ Secure Configuration Manager • NetlQ • www.netiq.com 

Other hot vote-getters in this year's survey... 
•Centrify's DirectAudit 

• Idera's SQL compliance manager 

• GFI's EventsManager 


NetWrix's 

modular 

design!" 
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5 More Reasons You Won’t Want 
to Miss a Single Issue: 
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Best Backup Software Product 


Editors' Best 

GOLD: 

Symantec Backup Exec 2010 • Symantec • www.symantec.com 

SILVER: 

Acronis Backup and Security 2010 • Acronis • www.acronis.com 

BRONZE: 

Backup My Info! • Backup My info! • www.backupmyinfo.com 

Why It Won: Backup Exec 2010 offers 
unparalleled ease of installation and operation, 
modular flexibility, speed, reliability, and cost/ 
benefit ratio. 

"With Backup Exec 2010, we experienced an 
immediate cost reduction in IT operations," said 
Bryce White, director of information systems 
at Strategic Hotels & Resorts. "Our payback 
period for new hardware and software was less 
than three months—almost unheard of in IT 
ops. Also, three days into our test phase, a user 
account was accidentally deleted from Active 
Directory; the restore operation (including 
checking online Help) took less than five min¬ 
utes. The affected user was never aware of the 
potential problem. Here's a story for you: Our 
network manager and I were both out of town 


Editors'Best 

GOLD: 

Amazon Web Services • Amazon • www.amazon.com 

SILVER: 

Google Apps • Google • www.google.com 

BRONZE: 

Salesforce.com • Salesforce.com • www.salesforce.com 

Why It Won: Amazon Web Services has a repu¬ 
tation as an easy and cost-effective way to run 
tests in the cloud. 

"It's a highly scalable, reliable, fast, and inex¬ 
pensive storage infrastructure," said Michael K. 
Campbell about Simple Storage Services (S3), 
part of Amazon Web Services, in an April 2010 
article (InstantDoc ID 124955. "S3 helps to com¬ 
moditize bandwidth and level the playing field 
for small businesses by allowing companies 
to scale up content delivery without incurring 
expensive hosting overhead." 


for a week in June, and we hired a temporary 
support engineer to cover immediate user 
needs. He was able to perform a file restore for 
one of our users—on his own, never having 
used the product before. It's that user-friendly." 

Community Choice 

GOLD: 

Symantec Backup Exec 2010 • Symantec • www.symantec.com 

SILVER: 

Acronis Backup and Security 2010 • Acronis • www.acronis.com 

BRONZE: 

CommVaultSimpana 9* 

CommVault* 
www.commvault.com 

Other hot vote- 
getters in this year's 
survey... 

• Symantec's 
Norton Ghost 

• BackupMylnfo! 

• Veeam Software's 
Veeam Backup & 

Replication 


Community Choice 

GOLD: 

Google Apps • Google • www.google.com 

SILVER: 

Amazon Web Services • Amazon.com • www.amazon.com 

BRONZE: 

Salesforce.com • www.salesforce.com 

Other hot vote-getters in this year's survey... 

• Rackspace's Mosso 

• HP's Cloud Assure 

• Iron Mountain's CloudRecovery 

"Google Apps is a 
fabulous service, 
and it's also one 
of the best deals 
out there." 


Best Deployment/ 
Configuration Product 

Editors'Best 

GOLD: 

Specops Deploy • Specops Software • www.specopssoft.com 

SILVER: 

Numara Deployment Manager • Numara Software • 
www.numarasoftware.com 

BRONZE: 

InstallAware Studio 9 • InstallAware Software • 
www.installaware.com 

Why It Won: Specops Deploy requires no 
additional hardware and uses existing infra¬ 
structure to help manage the deployment of 
applications and OSs; its competitive pricing 
and the real-time feedback it offers admins are 
extra benefits. 

"I think that if an organization is sophisticated 
enough to have a Windows domain with AD, it 
would be reasonable to have Specops Deploy 
in your tool kit," says Mike Lypp, a systems 
administrator for a large automotive retail out¬ 
let. "Microsoft just never made deployments 
this manageable. I'm fairly self-sufficient when 
it comes to deployments, as I was using the 
Windows MSI technology prior to purchasing 
Specops. With Windows, it's a 'hope for the best' 
scenario that is mostly blind. With Specops 
Deploy, I know exactly what's happening, where 
the errors are by computer name, and which 
error is causing an issue. I can be proactive in 
solving the issue simply because I know about 
it! Prior to having this product, I was reliant on 
software manufacturers to provide a useable MSI 
package. I now have the flexibility to truly deploy 
legacy installers with equal success." 

Community Choke 

GOLD: 

Symantec Ghost Solution 
Suite 2.5'Symantec* 
www.symantec.com 

SILVER: 

Desktop Authority • 

ScriptLogic • 
www.scriptlogic.com 

BRONZE: 

Novell ZENworks Configu¬ 
ration Management* 

Novell •www.novell.com 

Other hot vote-getters in this year's survey... 

• Symantec's Wise Installation Studio 

• Specops Software's Specops Deploy 

• Flexera Software's InstallShield 


"S' amazon.com. 

s '*—-^ web services 


Best Cloud Computing Product or Service 



"Symantec's 
industry- 
standard Ghost 
just gets the job 
done." 
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Best Hardware: 

Server 

Editors' Best 

GOLD: 

HP ProLiant • HP • www.hp.com 

SILVER: 

Dell PowerEdge • Dell • www.dell.com 

BRONZE: 

Lenovo ThinkServer • Lenovo • www.lenovo.com 

Why It Won: Support for up to 256GB of RAM 
and AMD's new 12-core Opteron processors 
make the HP ProLiant DL385 G7 a great choice 
for running resource-intensive workloads such as 
virtualization and database services. 

"My more precise choice for this award," said 
Michael Otey, technical director for Windows 
IT Pro, "is the HP ProLiant DL385 G7—a super¬ 
powerful 2U rack-mounted server. Supporting 
up to 256GB of RAM and dual 12-core AMD 
Opteron 6100 processors, this compact server 
can handle enterprise-size workloads. In addition, 
HP's integrated Insight Manager provides remote 
lights-out asset management, system monitor¬ 
ing, and firmware upgrades. You just can't do any 
better than that." 


Community Choke 


GOLD: 

Dell PowerEdge*Dell* 
www.dell.com 

SILVER: 

HP ProLiant-HP* 
www.hp.com 

BRONZE: 

IBM System x* IBM* 
www.ibm.com 


"Dell hits the 
sweet spot again 
with the Power- 
Edge series." 


Other hot vote- 

getters in this year's survey... 

• Lenovo's ThinkServer 

• Apple's Xserve 
•Oracle's Sun Fire Server 
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Best Hardware: Workstation 


Editors'Best 

GOLD: 

Dell Precision • DelHwww.dell.com 

SILVER: 

Lenovo ThinkStation • Lenovo • www.lenovo.com 

BRONZE: 

Mac Pro • Apple • www.apple.com 

Why It Won: Dell Precision workstations offer 
competitive pricing and are a familiar fixture for 
many in the corporate world, which can be use¬ 
ful when calculating the training needs of Help 
desk staff and end users. 

"With its support for dual 6-core processors 
and up to 72GB of RAM, the Dell Precision 
T5500 is a powerhouse workstation that's 
capable of handling any task on the desk¬ 
top," said Michael Otey, technical director for 
Windows IT Pro. "Dell calls this system your own 
'personal supercomputer'—for good reason. 
The Dell Precision T5500 is more powerful than 
many servers! If that wasn't enough, you can 
also add an optional NVidia Tesla Cl 060 GPU 
for high-performance processing of scientific, 
medical, and engineering applications." Adds 
Ken Savoy, infrastructure services director at 


Penton Media, "Dell is competitively priced, 
and we've always had good experience with 
Dell desktops and laptops." 

Community Choice 

GOLD: 

Dell OptiPlex- Dell • www.dell.com 

SILVER: 

Mac Pro • Apple • www.apple.com 

BRONZE: 

HP Compag • HP • www.hp.com 

Other hot vote-getters in this year's survey... 

• Dell's Precision 

• Lenovo's ThinkStation 

• HP's Z Series 

"The Dell OptiPlex 
is amazingly quiet, 
low-profile, and 
efficient—perfect 
for my environment!" 


Best Hardware: Laptop 


Editors'Best 

Community Choice 

GOLD: 

HP Envy* HP*www.hp.com 

SILVER: 

Lenovo ThinkPad • Lenovo • www.lenovo.com 

BRONZE: 

Dell Latitude • Dell • www.dell.com 

GOLD: 

Dell Latitude • Dell • www.dell.com 

SILVER: 

Apple MacBook Pro • Apple • www.apple.com 

BRONZE: 

Lenovo ThinkPad • Lenovo • www.lenovo.com 

Why It Won: Multiple contributors to Windows 

IT Pro singled out HP's Envy models. These 
laptops manage to be powerful, easy to travel 
with, and reasonably priced at the same time. 

Other hot vote-getters in this year's survey... 

• HP's EliteBook 

• Toshiba's Satellite 

"1 finally found the unit to replace my aging Dell 
Latitude," said Windows IT Pro technical director 
Michael Otey. "As its name suggests, HP Envy 

14 has everything you want in a powerful but 
still highly mobile laptop.The Envy can be 
equipped with a quad-core Intel Core 17 pro¬ 
cessor and 7200rpm drives, and even though 
it's super-thin at 1.1", it still has a slot-in optical 
drive. Unlike most 14" laptops, it provides a big¬ 
ger 14.5"display with 1600x900 resolution and 
a backlit keyboard." 

"The Latitude 
is a quick little 
thing loved 
by our mobile 
workers." 
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Best Hardware: Networking 


Best Hardware: 
Appliance 
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Editors' Best 

GOLD: 

BIG-IP • F5 Networks • www.f5.com 

SILVER: 

AirMax • Ubiquiti Networks • www.ubnt.com 

BRONZE: 

Cisco routers and switches • Cisco Systems • www.cisco.com 

Why It Won: F5 BIG-IP offers impressive load¬ 
balancing and application-delivery functionality. 
It's a versatile, easy-to-deploy, high-performance 

juggernaut. 

"Many people are familiar with the F5 BIG-IP 
product by name,"said Michael Dragone, sys¬ 
tems engineer, "but most might not be aware 
of the flexibility and breadth of this offering. The 
BIG-IP is traditionally thought of as a hardware 
load balancer, but it's much more than that. You 
have your choice of BIG-IP appliances that can 
scale from a unit sized for a small enterprise up 
to a unit ready for a multi-site international orga¬ 
nization, or you can get the system as a precon¬ 
figured VMware virtual machine that you 


Best Hardware: Storage 


can deploy fortesting purposes. You can also 
add functionality easily; F5 offers modules such 
as a web application firewall and WAN optimiza¬ 
tion. The hardware can function in a redundant 
configuration in the event of an appliance 
failure. Although it's a bit expensive, F5 BIG-IP is 
well worth the investment." 

Community Choke 

GOLD: 

Cisco routers and switches • Cisco Systems • www.cisco.com 

SILVER: 

ProCurve switches • HP • www.hp.com 

BRONZE: 

EtherFast switches • Linksys • www.linksys.com 


Editors'Best 

GOLD: 

SonicWALL SSL VPN series • SonicWALL • www.sonicwall.com 

SILVER: 

Dell KACE K1000 Management Appliance • Dell • www.kace.com 

BRONZE: 

Adonis DNS/DHCP Appliances* Bluecat Networks • 
www.bluecatnetworks.com 

Why It Won: SonicWALL's SSL VPNs offer a viable 
solution for small-to-midsized business (SMBs) to 
provide remote access to web applications and 
corporate networks. 

"We're currently using the SonicWALL email/ 
antispam appliances and software and SSL VPN 
for remote access (SSL VPN 2000)," said Robert 
Del Rio, vice president and principal associate 
at Hexagon Transportation Consultants. "We 
typically have no issues with remote access to 
our network. Our IT consultant is able to quickly 
resolve any issues remotely the few times that 
the network is not accessible. SonicWALL pro¬ 
vides a reliable product that meets our needs 
for individual remote access. There has been no 
need to shop other competitors." 


Other hot vote-getters in this year's survey. 

• Netgear's routers and switches 

• D-Link's routers and switches 

• F5 Networks'BIG-IP 


I ve never 
had any 
problems after 
implementing 
Cisco gear." 


Editors' Best 

GOLD: 

DroboElite • Data Robotics • www.drobo.com 

SILVER: 

PowerVault • Dell • www.dell.com 

BRONZE: 

HP StorageWorks • HP • www.hp.com 

Why It Won: The DroboElite is truly a set-it-and- 
forget-it iSCSI backup system. It's inexpensive, 
easy to use, and yet powerful for the small-to- 
midsized business (SMB) storage environment. 

"The DroboElite fits well into my environment," 
said Ivan Breit, lead systems administrator for 
Whalen Furniture. "My previous storage system 
had failed, and I replaced it with the DroboElite, 
which ended up saving me thousands of dollars 
compared with other systems I was considering. 
Since implementing the DroboElite, my VMware 
backup environment has performed flawlessly. 
I'm also considering doing some restructuring 
of my virtualized environment and I am going 
to use the iSCSI connectivity of the DroboElite 
to provide primary storage for my VMs during 
the transition. The DroboElite is a flexible stor¬ 
age solution that meets my needs, 


and the BeyondRAID technology does exactly 
what it's supposed to do." 

Community Choice 

GOLD: 

EMC CLARiiON • EMC • www.emc.com 

SILVER: 

Dell PowerVault • Dell • www.dell.com 

BRONZE: 

HP StorageWorks Backup System • HP • www.hp.com 

Other hot vote-getters in this year's survey... 

• NetApp's FAS3100 

• Intel's SSD drives 

• Hitachi's HDS SAN 



Community Choice 

GOLD: 

Cisco ASA 5500 Series 

"The Cisco 
ASA 5500 
performs exqui¬ 
sitely at so many 
security tasks." 

Barracuda Networks • 
www.barracudanetworks.com 

Other hot vote-getters in this year's survey... 
•SonicWALL's NSA2400 
•Sophos'Email Security and Control Appliance 
• WatchGuard Technologies' Firebox X 


Most Overused IT Buzzwords 

1. Cloud 

6. Seamless 

2. Robust 

7. Virtualize 

3. Scalable 

8. Revolutionary 

4. Real-time 

9. Viral 

5. Heterogeneous 

10. Next-generation 


• Cisco Systems • 
www.cisco.com 

SILVER: 

NetApp FAS3100* 
NetApp • www 
.netapp.com 
BRONZE: 
Barracuda Spam & 
Virus Firewall • 
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Best High Availability/Disaster Recovery Product 



serve 

More than Backup 

Editors' Best 

GOLD: 

CA ARCserve High Availability • CA • www.arcserve.com 

SILVER: 

Symantec Backup Exec System Recovery 2010 • 
Symantec • www.symantec.com 

BRONZE: 

AcronisTrue Image Echo Server • Acronis • www.acronis.com 


Why It Won: CA ARCserve High Availability is 
top-tier when it comes to minimizing the kinds 
of system downtime and data loss that can bring 
your business to a halt. 

David Jao, director of corporate IT of Hazen and 
Sawyer, has used CA ARCserve High Availability 
for over a year in his 700-user environment, and 
talks up the product's ease of deployment and 
reliability. "It's simpler to deploy and use than 
Exchange Server 2010 database availability 
groups (DAGs). We found it ideal for an under- 
1,000-mailbox SMB that needed only one mail 
server with a full redundant server at a remote 
location for disaster recovery. The switchover is 


Best Interoperability Product 


almost seamless to our users, as tested on our 
preproduction Exchange 2010 server.The only 
required client interaction was an Outlook client 
restart.The native Exchange DAG solution would 
have required four servers and WAN-routing 
modifications to achieve the same redundancy. 
Knock on wood—it's working as advertised." 

Community Choice 

GOLD: 

Symantec Backup Exec System Recovery 2010 • Symantec • 
www.symantec.com 

SILVER: 

AcronisTrue Image Echo Server • Acronis • www.acronis.com 

BRONZE: 

VMware Site Recovery Manager • VMware • www.vmware.com 

Other hot vote-getters in this year's survey... 

• CommVault's Simpana 9 

• NetApp's SnapMirror 

• HP's Data Protector 


"We love 
Symantec's ease 
of use and sim¬ 
ple interface." 


Editors'Best 

GOLD: 

ExtremeZ-IP • Group Logic • www.grouplogic.com 

SILVER: 

CMT for Coexistence • Binary Tree • www.binarytree.com 

BRONZE: 

Zoho.com • Zoho • www.zoho.com 

Why It Won: ExtremeZ-IP is the leading product 
for integrating Macs into a corporate Windows 
environment. 

"ExtremeZ-IP is a very strong product and is 
backed by even stronger sales and technical 
support," said Jeff Beith, business analyst for 
lovate Health Sciences. "The experience has 
been nothing but positive. Along the path 
of implementation, we had a variety of ques¬ 
tions that were always answered quickly and 
accurately. We have also been delighted with 
the fact that once the software has been 
installed, there is no other maintenance work 
to be done. Once it is implemented, it just 
works! ExtremeZ-IP is purely a server-based 
solution for integrating Macs into a Windows 
environment, which allows for centralized 


administration and a seamless experience for 
the users. It also supports DFS and clustering, 
which allows us to maintain a single high- 
availability solution." 

Community Choke 

GOLD: 

Centrify Suite 2010 • Centrify • www.centrify.com 

SILVER: 

Quest Authentication Services • Quest Software • www.quest.com 

BRONZE: 

Altiris Notification Server • Symantec • www.symantec.com 

Other hot vote-getters in this year's survey... 

• SystemTools Software's Hyena 8.1 

• BinaryTree's CMT for Coexistence 

• Likewise's Likewise-CIFS 

"The Centrify 
suite is efficient 
and easy to 
use." 


Best Management 
Suite 

Editors'Best 

GOLD: 

Spiceworks • Spiceworks • www.spiceworks.com 

SILVER: 

NetlQ AppManager Suite • NetlQ • www.netiq.com 

BRONZE: 

Altiris Client Management Suite • Symantec • 
www.symantec.com 

Why It Won: Spiceworks combines manage¬ 
ment, monitoring, inventory control, and ticket¬ 
ing into one product. A full-featured free version 
with advertising makes it easy to get started with 
Spiceworks. 

In his review of the free version of Spiceworks, 
Michael Dragone said, "Overall, I was impressed 
with Spiceworks. The most compelling feature 
of the product, aside from the $0 price tag, is 
the way all the components tie in together. You 
don't have to maintain separate lists of assets or 
use another interface to query a network device. 
Everything is integrated in the single Spiceworks 
interface." 

Community Choice 

GOLD: 

Spiceworks • Spiceworks • www.spiceworks.com 

SILVER: 

Altiris Client Management Suite • Symantec • 
www.symantec.com 

BRONZE: 

NetlQ AppManager Suite • NetlQ • www.netiq.com 

Other hot vote-getters in this year's survey... 

• NetWrix's Enterprise Management Suite 

• HP's Insight Control Suite 3.1 

• Blackbird Group's Blackbird 
Management Suite 

"Spiceworks is a 
compelling, 
comprehensive 
product, even in 
its free version." 


Favorite IT Websites 

1. www.theregister.co.uk 6. www.google.com 

2. www.thinkgeek.com 7. www.tomshardware.com 

3. www.networkworld.com 8. www.winsupersite.com 

4. www.windowsitpro.com 9. www.engadget.com 

5. www.microsoft.com 10. www.expertsexchange.com 
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Best Microsoft Product 




Windows Server2008 r 


Editors'Best 

GOLD: 

Windows Server 2008 R2 • Microsoft • www.microsoft.com 

SILVER: 

Windows 7 • Microsoft • www.microsoft.com 

BRONZE: 

Exchange Server 2010 SP1 • Microsoft • www.microsoft.com 

Why It Won: Although Windows 7 is a close 
second, Server 2008 R2 seems to offer more in 
the way of new features and functionality for 

the IT pro. 

"I've been using Windows Server since it was 
invented,"said Sean Deuby, Active Directory (AD) 
expert and technical director for Windows IT Pro , 
"and I've watched the progression of its usability 
for administrators along the way. Server 2008 R2 
is by far the most refined Windows Server version 
to administer with, for example, best-practice 
analyzers built in to nearly every major role the 
server can assume. Improvements in Hyper-V, IIS, 
and PowerShell expand the product's existing 
capabilities. And I think the requirement for x64 
hardware—what some see as a disadvantage— 
can actually be an advantage when you tie the 
upgrade to your company's hardware refresh 
cycle because R2 makes full use of the latest 
processor technology for both performance and 
energy savings." 


Favorite Consumer Tech Product 

1. Apple iPhone 

2. Google Android 

3. Microsoft Xbox 360 

4. Apple iPod nano 

5. Microsoft Zune 

6. Apple iPad 

7. GPS devices 

8. Digital meat thermometer 

9. USB drink chiller 

10. VCR 


Community Choice 

GOLD: 

Windows 7 • Microsoft • www.microsoft.com 

SILVER: 

Office 2010 • Microsoft • www.microsoft.com 

BRONZE: 

Windows Server 2008 R2 • Microsoft • www.microsoft.com 

Other hot vote-getters in this year's survey... 

• Microsoft's SharePoint 2010 

• Microsoft's Hyper-V Server 2009 R2 

• Microsoft's SQL Server 2008 R2 


"Windows 7 is just 
easier and faster and 
more efficient and 
more fun than any 
previous version." 


Most Overhyped Consumer Tech Product 

1. iPad 

2. iPhone 4 

3. iPod 

4. iAnything 

5. 3D TV 

6. Netbooks 

7. Windows Phone 

8. Amazon Kindle 

9. Any compressed backup solution 

10. HTML5 


Best Messaging 
Product 

Editors' Best 

GOLD: 

Mailscape • ENow • www.enowconsulting.com 

SILVER: 

BlackBerry Enterprise Server • Research In Motion • 
www.blackberry.com 

BRONZE: 

0WA Suite for Exchange 2007 • Messageware • 
www.messageware.com 

Why It Won: Mailscape provides a simple view 
into your complex messaging environment to 
help you proactively address problems before 
they affect end users. 

What first attracted John O'Neill, Sr., corporate 
director of IT for Molded Fiber Glass, to ENow's 
Mailscape Exchange Server monitoring product 
was its "apparent simplicity.'The product fea¬ 
tures a dashboard with red, yellow, and green 
lights indicating the health of each monitored 
server. "I chose it right then and there because 
it gave me what I needed for my support staff 
to keep a browser window open and just watch 
the lights so they could try and be more proac¬ 
tive even though they're overburdened,"O'Neill 
said. "Then we learned that it had all these 
reports and more underlying features that actu¬ 
ally help us move forward with our Exchange 
2010 migration. The ability to have information 
real-time and make fast decisions is the best 
advantage I think a team can have." 

Community Choice 

GOLD: 

Skype 4.2 • Skype • www.skype.com 

SILVER: 

BlackBerry Enterprise Instant Messaging • 

Research In Motion • www.blackberry.com 

BRONZE: 

Symantec Brightmail Gateway • Symantec • 
www.symantec.com 

Other hot vote-getters in this year's survey... 

• Mozilla'sThunderbird with Lightning 

• Meebo's Meebo 

• KerioTechnology's Kerio Connect 

"I've loved Skype 
since the first day 
I used it." 
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Best Mobile and Wireless Product 


Editors'Best 

GOLD: 

Zenprise MobileManager • Zenprise • www.zenprise.com 

SILVER: 

BoxTone Mobile Service Management • BoxTone • www.boxtone.com 

BRONZE: 

Android • Google • www.android.com 

Why It Won: Zenprise MobileManager provides 
complete management of your mobile devices 
and infrastructure and includes a huge, inte¬ 
grated knowledge base to help solve problems. 

Several years ago, Matthew H. Morse, IT architect 
and senior administrator for Varian Medical Sys¬ 
tems, recognized the growing importance and 
complexity of mobile devices to his business. 
The company has 60 offices worldwide, and the 
IT department supports around 1,800 BlackBerry 
users and 1,300 Apple iPhone users. "We have 
to have something that will help us monitor, 
maintain, and support these mobile devices as 
well as be able to see what's going on with the 
infrastructure,"Morse said. After researching the 
market, Morse chose Zenprise Mobile Manager. 
"We've been a customer now for over three 


years and have been very pleased with how the 
product not only monitors the BlackBerry mobile 
service at the device level but also tells me how 
my Exchange environment is performing, my AD 
and domain controllers, the SQL Server environ¬ 
ment that supports it, and so on." 

Community Choice 

GOLD: 

Android • Google • www.google.com 

SILVER: 

iPhone OS • Apple • www.apple.com 

BRONZE: 

BlackBerry Enterprise Server • Research In Motion • 
www.blackberry.com 

Other hot vote-getters in this year's survey... 

• Google's Google Voice 

• Kaspersky's Mobile Security 

• Zenprise's Zenprise Mobile Manager 

"Android is such 
a fun device for 
gadget lovers." 


Best Patch-Management Product 

Editors'Best Community Choice 

GOLD: GOLD: 


GFI LANguard 9 • GFI Software • www.gfi.com 

SILVER: 

Shavlik NetChk Protect • ShavlikTechnologies • www.shavlik.com 

BRONZE: 

Kaseya Patch Management • Kaseya • www.kaseya.com 

Why It Won: GFI LANguard scans the network 
and ports for security vulnerabilities, then lets 
administrators easily deploy and manage patches. 

Eli Mergel, director of IT for AllianceBernstein's 
security department, has used GFI LANguard for 
several years—three of them in his current posi¬ 
tion. He likes the product's ease of use, layout, and 
updates, but he notes that the most important 
feature for his organization, which has roughly 
6,000 users, is the patch management."! love 
that you can select a set of computers and set 
a time for rollout. It has saved me from coming 
in on numerous weekends to do manual patch 
management." Eli used GFI LANguard before it 
did patch management (i.e., when it was just a 
network scanner), and he notes that the "capabil¬ 
ity to roll out patches, exclude devices, and have 
different sets of logons for different computers" is a 
huge improvement. "It's a major product now. We 
couldn't operate without it." 


Altiris Client Management Suite • Symantec • 
www.symantec.com 

SILVER: 

Windows Update Checker • NetWrix • www.netwrix.com 

BRONZE: 

Novell ZENworks Patch Management • Novell • 
www.novell.com 

Other hot vote-getters in this year's survey... 
•GFI's LANguard 9 

• ShavlikTechnologies' NetChk Protect 

• ScriptLogic's Desktop Authority 8 

"Altiris has 
reduced ourTCO 
for all systems; 
we're managing 
and troubleshoot¬ 
ing our network 
from anywhere. 
Good stuff!" 


Best Network- 
Management Product 

Editors'Best 

GOLD: 

Orion Network 
Performance Monitor* 

SolarWinds • 
www.solarwinds.com 

SILVER: 

EventSentry* NETIKUS 
.NET* www.netikus.net 

BRONZE: 

Spiceworks 4.1 • Spiceworks • www.spiceworks.com 

Why It Won: Network problem diagnosis and 
resolution has never been easier, thanks to 
Orion's centralized management interface. 

In his praise of Orion, John Spanitz—senior sys¬ 
tems administrator at Just Born, Inc.—points to a 
network-management problem he experienced 
a while back. "A user complained that the Inter¬ 
net was slow, and first-level support experienced 
the same sluggishness. Into Orion we went, 
accessing the Network Performance Monitor tab 
and pulling up the firewall interfaces. Utilization 
was higher than normal, but no cause for alarm. 
On the NetworkTraffic Analyzer tab, we observed 
the type of traffic flowing through the firewalls— 
no surprise that it was port 80, and the heavy 
user is our web gateway. One click on the web 
gateway in Netflow revealed the culprit: A user 
had download a huge software package. In short 
order, we routed the issue back to first-level sup¬ 
port to follow up with the offending user. Thanks 
to Orion, we quickly located and diagnosed the 
problem. If we had wanted to, we could have 
shut down the port the user was on right there 
in Orion, but we're a friendly bunch, so we didn't 
take it to that level—but with Orion's Network 
Configuration Manager, we could have!" 



Community Choice 


GOLD: 

SpiceWorks 4.1 • 
SpiceWorks • www 
.spiceworks.com 

SILVER: 

Altiris Client Management 
Suite'Symantec* www 
.symantec.com 
BRONZE: 

Orion Network 
Performance Monitor* 
SolarWinds* www 


"Spiceworks is a 
standout choice 
for detailed 
SMB network 
monitoring." 


.solarwinds.com 


Other hot vote-getters in this year's survey ... 

• Cisco Systems' NetFlow 9 

• EMC's lonix Network Configuration Manager 

• Wireshark 1.2 
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Best Scripting Tool 

Editors'Best 

GOLD: 

PowerShell Plus Professional Edition 3.5 • Idera • www.idera.com 

SILVER: 

PrimalScript 2009 • SAPIEN Technologies • www.sapien.com 

BRONZE: 

PowerGUI Pro • Quest Software • www.quest.com 

Why It Won: PowerShell Plus features a user- 
friendly GUI console, an advanced script editor 
and debugger, and a comprehensive interactive 
learning center—all integrated into one product. 

"I've been a script junkie for a long time," said 
Aleksandar Nikolic. As the system administrator 
at DDOR Novi Sad, he uses PowerShell Plus for 
many tasks, including automating AD manage¬ 
ment and creating auditing scripts that keep his 
systems secure. "From the very beginning, I was 
impressed by the effectiveness of PowerShell 
Plus. Its powerful console can be embedded into 
an editor, so I can get the best of both worlds— 
CLI and GUI. Also, three well-known PowerShell 
script repositories are available directly from the 
editor, so I can download a script, modify it to 
satisfy my needs, and easily add it to my personal 
QuickClick Library. Idera has listened to users' 


Best SharePoint Product 

Editors'Best 

GOLD: 

Social Sites for SharePoint 2010 • NewsGator • 
www.newsgator.com 

SILVER: 

Idera SharePoint admin toolset 2.0 • Idera • www.idera.com 

BRONZE: 

SharePoint Website Accelerator • Aptimize • www.aptimize.com 

Why It Won: SharePoint is only as useful as the 
ease with which users can use it—and News- 
Gator offers a way to help users find information, 
share ideas, and collaborate with their peers, 
making SharePoint collaborative in real-life and 
not just on paper. 

Social Sites for SharePoint 2010 has helped 
Medtronic, a global leader in medical technol¬ 
ogy, to enhance its SharePoint collaboration 
capabilities, according to Mary Maida, informa¬ 
tion solutions manager at Medtronic. The com¬ 
pany is far-flung, with 120 locations—an ideal 
poster child for using SharePoint for collabora¬ 
tion. Medtronic uses SharePoint primarily for 
internal websites, Maida said. However, in spite 
of SharePoint's capabilities, the company still 
wanted a way to enhance SharePoint "to 


feedback and PowerShell Plus now has the best 
support available for remoting. It has reusable 
remote settings, which I often preconfigure for 
future usage." 

Community Choice 

GOLD: 

PowerGUI Pro • Quest Software • www.quest.com 

SILVER: 

PowerShell Plus Professional Edition 3.5 • Idera • www.idera.com 

BRONZE: 

Admin Script Editor • Tripoli • www.itripoli.com 

Other hot vote-getters in this year's survey... 

• Network Automation's AutoMate 7 

• FastTrack Software's Scripting Host 

• SAPIEN Technologies' PrimalScript 2009 


"PowerGUI's 
script editor has 
become quite 
full-featured!" 


help make people and information more obvi¬ 
ous." NewsGator's familiarity with the SharePoint 
environment made it "a natural fit" to work 
with Medtronic, Maida said. "We encourage 
employees to connect in new ways. The use 
of Social Sites makes it easy for employees to 
asynchronously engage in open knowledge 
sharing that drives learning, new ideas, and 
innovation." Maida said that since the company 
started using Social Sites a year ago, she's been 
"encouraged by the increasing engagement of 
our employees." 

Community Choke 

GOLD: 

Symantec Enterprise Vault for SharePoint • Symantec • 
www.symantec.com 

SILVER: 

EMC SourceOne for Microsoft SharePoint • EMC • www.emc.com 

BRONZE: 

NetWrix SharePoint Change Reporter • NetWrix • www.netwrix.com 

Other hot vote-getters in this year's survey... 

• Colligo Networks' Colligo Contributor Pro for 
SharePoint 2010 

• Axceler's ControlPoint 3 for Microsoft SharePoint 

• Quest Software's Site Administrator for SharePoint 



Best Security Product 


Editors'Best 

GOLD: 

Avecto Privilege Guard 2.5 • Avecto • www.avecto.com 

SILVER : 

RSA Data Loss Prevention (DLP) Suite • EMC • www.rsa.com 

BRONZE: 

Splunk 4.1 - Splunk - www.splunk.com 


Why It Won: Privilege Guard uses the principle 
of least privilege to let administrators easily 
secure their server environments. Admin-level 
rights can be assigned to applications, tasks, and 
scripts rather than individual users. 

Jeff Douglas, senior advisor for Infrastructure 
Services Sensitive at National Government Ser¬ 
vices, has been using Privilege Guard since Feb¬ 
ruary 2010. Jeff likes "the ease of use in creating 
policies to be able to limit the rights required to 
be granted to our users." In addition, he notes 
that when his organization had some perfor¬ 
mance issues with an application after imple¬ 
menting Privilege Guard, Avecto responded to 
their support request within hours and quickly 
identified and solved the problem. According 
to Jeff, "the product support has been the best 
part of our experience!" 


Community Choice 


GOLD: 

NetlQ Security Manager* 
NetlQ* www.netiq.com 

SILVER: 

Symantec Endpoint 
Protection • Symantec • 
www.symantec.com 

BRONZE: 

Sophos Endpoint Security 
and Data Protection • 
Sophos • www.sophos 


"NetlQ 

Security Manager 
has really reduced 
compliance and 
security headaches 
for us." 


.com 


Other hot vote-getters in this year's survey... 

• Citrix's Access Gateway 

• Avecto's Privilege Guard 2.5 
- Splunk 4.1 
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Best Systems Monitoring Product 


Editors' Best 

GOLD: 

HP Operations Manager • HP • www.hp.com 

SILVER: 

Applications Manager • ManageEngine • www.manageengine.com 

BRONZE: 

Service Monitor • NetWrix • www.netwrix.com 

Why It Won: HP Operations Manager is a com¬ 
prehensive solution for managing both your 
physical and virtual infrastructure. 

"HP Operations Manager provided automated 
monitoring of both servers and applications like 
SQL Server and Exchange, allowing you to man¬ 
age your entire infrastructure through a 'single 
pane of glass'" said Windows IT Pro technical 
director Michael Otey. "Operations Manager can 
monitor using agents or it can be run agentless. 
It has the ability to perform automated problem 
resolution and can forward alerts via 
SMS, pagers, and email." 


Community Choice 

GOLD: 

HP Operations Manager • HP • www.hp.com 

SILVER: 

Service Monitor • NetWrix • www.netwrix.com 

BRONZE: 

Applications Manager • ManageEngine • www.manageengine.com 

Other hot vote-getters in this year's survey... 

• Spiceworks'Spiceworks 

• LogicMonitor's LogicMonitor 

• TNT Software's ELM Enterprise Manager 

“HP Operations 
Manager is 
comprehensive 
and dependable." 


Best Task Automation 
Product 

Editors'Best 

GOLD: 

Kaseya Small-Medium Enterprise Edition • Kaseya • 
www.kaseya.com 

SILVER: 

AutoMate 7 • Network Automation • 
www.networkautomation.com 

BRONZE: 

Desktop Authority • ScriptLogic • www.scriptlogic.com 

Why It Won: Developed with the needs of small 
and midsized IT departments in mind, Kaseya 
Small-Medium Enterprise Edition helps cost-con¬ 
scious IT departments automate routine IT tasks. 

"Ockham had grown to a point where it was neces¬ 
sary to maintain an internal IT department,"said 
Jeff Burdine, the information services manager at 
Ockham Development Group. "When we were 
looking for a PC management tool, we were initially 
just trying to fill a need for a remote control tool 
that would allow us to troubleshoot users'issues 
without running all over the office. In addition, 
we have a number of remote sites and traveling 
users accessing our network. I tested software from 
several vendors and even tried some of the open- 
source products that were out there. It seemed 
every one of them could cover our local clients very 
well, but many of them failed when trying to sup¬ 
port laptop computers that were offsite. After a few 
more weeks of searching, I decided that we would 
use a number of solutions to get the job done. 
Then, as a last resort, I checked out Kaseya's website. 
That's when I discovered Kaseya SMEE. I had never 
heard of it before and I figured it would be a capital 
expense far exceeding my budget. I was thrilled 
when I heard the pricing and I was even more 
thrilled when I found out that all the functionality I 
was looking for would be in one package." 

Community Choke 

GOLD: 

Altiris Client 
Management Suite* 

Symantec • 
www.symantec.com 

SILVER: 

NetlQ Aegis • NetlQ • 
www.netig.com 
BRONZE: 

Desktop Authority • 

ScriptLogic* 
www.scriptlogic.com 

Other hot vote-getters in this year's survey... 

• Network Automation's AutoMate 7 

• Specops Software's Specops Command 

• AvePoint's DocAve Deployment Manager for 
Microsoft SharePoint 


Best System Utility 

Editors'Best 

GOLD: 

System Mechanic Business • iolo technologies • www.iolo.com 

SILVER: 

TuneUp Utilities 2010-TuneUp • www.tune-up.com 

BRONZE: 

Diskeeper 2010 Professional • Diskeeper • www.diskeeper.com 

Why It Won: The award-winning System 
Mechanic software isn't just for personal PC 
use anymore. With System Mechanic Business, 
small organizations can speed up and clean 
up users'PCs without blowing their IT budget. 

"I assist school districts with their technol¬ 
ogy needs," said Kirk Moore, a tech support 
specialist at Education Service Center, Region 
XI, Texas. At one school, some computers 
were running slow and experiencing other 
problems. "Because the school had a small 
budget and a small tech support staff—me— 
I needed something that would help keep 
the PCs running for another year at peak 
performance. I decided to purchase System 
Mechanic Business. I installed it on a few 
teachers'computers and ran it a few times to 
clean up the drive and registry, defrag, etc. 
When I turned the computers back over to 
the teachers, they were thrilled. They were 
able to be productive again. I'm now sup¬ 
porting a new school. The principal was 
complaining about his computer being slow 
and getting error messages or just locking up 
every so often. I installed one of my licensed 


copies on his computer and asked him to try 
it out. I told him that if the program worked 
and he was happy, we could purchase a 
100-user license to install on the teachers' 
computers. Well, after a few days, I was plac¬ 
ing an order for the school. System Mechanic 
has saved me so much time—time that I can 
focus on other projects." 

Community Choke 

GOLD: 

Norton SystemWorks • Symantec • www.symantec.com 

SILVER: 

WinZip 12.1 - WinZip - www.winzip.com 

BRONZE: 

Acronis Disk Director • Acronis • www.acronis.com 

Other hot vote-getters in this year's survey... 

• Microsoft's Sysinternals Suite 

• Malwarebytes'Anti-Malware 

• Wireshark 1.2 

"I had a sluggish, 
mostly unresponsive 
computer, and after 
letting Norton System- 
Works loose on it, the 
system is now as fast as 
it used to be." 


Altiris client 
Management Suite 
is by far the best in 
the market for multi¬ 
platform, multi¬ 
device client 
management." 
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Best Free or Open 
Source IT Tool 

Editors'Best 

GOLD: 

Spiceworks • Spiceworks • www.spiceworks.com 

SILVER: 

PrimalPad Community Edition • SAPIEN Technologies • 
www.sapien.com 

BRONZE: 

SYDI-Server • SYDI • sydiproject.com 

Why It Won: Whereas most free tools help 
IT pros perform one or two types of tasks 
(e.g., inventorying computers), Spiceworks 
helps IT pros perform many different types 
of tasks, including inventorying, monitor¬ 
ing, troubleshooting, and reporting. 

"I chose Spiceworks because it provides 
both hardware and software inventory 
without any agent on the client side," 
said Stephen Lyons, IT manager at GEA 
Pharma Systems AG. "It also includes a 
Help desk system. It's exceptionally well 
supported by a great bunch of friendly 
people. And it's available for a superb 
price—it's free. The Spiceworks com¬ 
munity is also a big plus point. The com¬ 
munity is made up of like-minded souls 
who don't mind providing what help 
they can on a multitude of subjects. The 
product is frequently updated; beta ver¬ 
sion 5 is currently available for testing. 
Updates to the current version (version 
4.7 at the time of writing) are in relation 
to bug fixes and feature requests from 
the Spiceworks community. If I was to do 
this again, would I go with Spiceworks? 
Oh yes, without a doubt." 


Community Choice 

GOLD: 

Spiceworks • Spice¬ 
works • WWW 
.spiceworks.com 
SILVER: 

VMware Server • 

VMware-www 
.vmware.com 
BRONZE: 

Firefox 3.6 - Mozilla 

• www.mozilla.com 

Other hot vote-getters in this year's survey... 
•Google's Chrome 

• NetWrix's Active Directory Change Reporter 

• FileZilla 


"Would I 
recommend 
Spiceworks to 
others? Most 
certainly—and I 
actively do!" 


Best Training and Certification Product or Service 


Editors'Best 

GOLD: 

TrainSignal Premium ComputerTraining Videos • 
TrainSignaHwww.trainsignal.com 

SILVER: 

Clip Training Web-Based Training • Clip Training • 
www.cliptraining.com 

BRONZE: 

AppDev OnDemand Training • AppDev Products • www.appdev.com 

Why It Won: Train Signal offers one of the most 
comprehensive libraries of certification training 
of any vendor, touching across every topic rel¬ 
evant to Windows IT pros. 

"In 2007,1 lost my job after three months of 
probation because I had not met the skill set the 
company was looking for,"said Theodore Darko, 
systems administrator for the Department of 
Homeland Security. "Words are not enough to 
begin to explain my experience with Train Signal 
or the pros of the company's video products. After 
using Train Signal's video tutorials less than two 
months after I was laid off, I got a new job that 
paid $15,000 more annually than what I was mak¬ 
ing before. On that note, I can vehemently say that 


Train Signal videos are truly the best on Earth! And 
they have made me the engineer that I am today." 

Community Choice 

GOLD: 

TrainSignal Premium 
ComputerTraining 
Videos-TrainSignal • 
www.trainsignal 
.com 
SILVER: 

TestOut Professional 
Training for IT 
Certification-TestOut - 
www.testout.com 

BRONZE: 

VMware Certified Professional Program • 

VMware • www.vmware.com 

Other hot vote-getters in this year's survey... 

• TestKing's ITTesting and Certification 

• AppDev's OnDemand Training 

• Clip Training's Web-Based Training 


"TrainSignal 
offers very pol¬ 
ished, excellent 
instruction." 


Best Virtualization Product 

Editors' Best Community Choice 

GOLD: GOLD : 


VMware vSphere 4 - VMware • www.vmware.com 

SILVER: 

Citrix Xen Desktop 4 • Citrix Systems • www.citrix.com 

BRONZE: 

NetWrixVMware Change Reporter • NetWrix • www.netwrix.com 

Why It Won: VMware's hypervisor is the 
most common in IT installations, and gen¬ 
erally acknowledged as having the most 
advanced virtualization technology on the 

market. 

In a blog entry, Windows IT Pro author Greg 
Shields said of vSphere's 4.1 update, "This 
update swings the capabilities we've come to 
think of as'must have'well into the court of 
affordability for small and medium businesses." 
He also said, "Huzzah to VMware for throw¬ 
ing a bone to SMB pocketbooks, while at the 
same time offering the new technologies that 
enterprises demand." Windows IT Pro technical 
director Michael Otey said, "VMware's vSphere 
is designed to enable IT to build an internal 
cloud where all resources are virtualized, and it 
provides dynamic management of the virtual 
infrastructure." 


VMware vSphere • VMware • www.vmware.com 

SILVER: 

Symantec Endpoint Virtualization Suite • Symantec • 
www.symantec.com 

BRONZE: 

NetWrixVMware Change Reporter • NetWrix • www.netwrix.com 

Other hot vote-getters in this year's survey... 

• VMware's VMware Workstation 
•Oracle's Vi rtualBox 

• Citrix's XenServer ^ 

InstantDoc ID 128899 

"VMware 
vSphere is simply 
the most important, 
sophisticated virtual¬ 
ization product 
on the market." 


Best Vendor Tech Support 

Gold: Dell-www.dell.com 
Silver: TestOut • www.testout.com 
Bronze: Symantec • www.symantec.com 
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he vMotion capability in VMware vSphere gets a lot of attention. Using vMotion, a running 
virtual machine (VM) can live-migrate between hosts. Live migration relocates VMs prior 
to a host shutdown, or rebalances VM loads across a set of hosts. It also lets you empty a 
host before rebooting or performing maintenance. 

All of these things happen before the failure. If you know that a host is about to have a 
problem, or if you know you're about to perform some maintenance, vMotion can come 
to the rescue. But what do you do when a host simply dies? That's when VMware High Availability 
(HA) feature comes in handy. Commonly (but technically incorrectly) associated with vMotion, 
VMware HA represents a somewhat different protection you can set up to quickly resurrect VMs 
after a host failure. 

With VMware HA, VMs that fail on one host automatically start up on another. It's important to 
recognize that a VMware HA event generally starts with the loss of a host, and with that host failure 
is also the unexpected loss of VMs. In short, vSphere won't invoke VMware HA until after your VMs 
are already down. 


Keep your VMs 
up when a host 
goes down 

by Greg Shields 


To Get VMware HA, Start with VMware DRS 

Getting to VMware HA starts with the creation of a vSphere cluster. Even if you aren't licensed for 
the VMware Distributed Resource Scheduler (DRS) feature, you'll need to start this cluster-creation 
process to get going. 

Both VMware HA and VMware DRS are specially licensed features of VMware vSphere. In order 
to use either, you'll need to ensure that you have the correct licensing for hosts that participate in 
a cluster. Figure 1 shows an example of what you might see if you click on the left pane of any ESX 
host, select its Configuration tab, and click the link to display Licensed Features. Notice that VMware 
identifies licensed features for capabilities like VMware HA and VMware DRS on a host-by-host 
basis. Thus, depending on how you've purchased licenses in the past, you might have some hosts 
with and others without this capability. 

Many people don't realize that VMware HA and VMware DRS are licensed with different editions 
of vSphere. VMware HA is available in vSphere Standard and Essentials Plus, which are low-cost edi¬ 
tions of the software (although not their lowest-cost editions). VMware DRS isn't included until you 
move up the scale to vSphere Enterprise Edition. 

A cluster corresponds to a set of hosts where resources, such as processing power and memory, 
have been gathered together to create a pool. Clusters provide a boundary of resource administra¬ 
tion, aggregating resources across multiple hosts. They also provide a boundary for VMware DRS load 
balancing, creating a hard line around a collection of hosts within which vSphere can load-balance 
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New Cluster Wizard 
will appear. You'll 
see that each clus¬ 
ter needs a unique 
name and you're 
given the option to 
enable one of the 
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Figure 1: Licensed features for an ESX host 


two different clus¬ 
ter features. In this 
example, I'll enable 
VMware HA but 
leave VMware DRS 
for a future article. 

Selecting the 
checkbox next to 
VMware HA adds 
three wizard screens 
that require configu¬ 
ration. Many admin¬ 
istrators are confused 


VMs. That hard line also defines the hosts 
that VMware HA can use to relocate VMs 
after their original host fails. 

To create a cluster, right-click a data¬ 
center in the vSphere Client. Choose New 
Cluster and, as Figure 2 partially shows, the 


by these screens—the correct configuration 
isn't always the most obvious one. Some 
settings can have implications for how your 
cluster operates after a failure and others, if 
configured incorrectly, will create more prob¬ 
lems rather than help after a host goes down. 


Enforcing Admission Control 

Figure 3 shows the first configuration 
screen, which provides options for host 
admission control. The first setting, Host 
Monitoring Status, determines whether 
ESX hosts exchange network heartbeats for 
vCenter Server monitoring. 

This heartbeat allows vCenter Server to 
identify whether or not a host is running. 
Be sure to leave this checkbox selected. 
Know also that you'll generally want to 
leave host monitoring enabled, because it's 
necessary for VMware HA to identify when 
hosts fail. 

The second setting, Admission Con¬ 
trol, determines what action your cluster 
will take when a host failure occurs but 
there aren't enough resources to power 
on failed VMs elsewhere in the cluster. A 
well-designed cluster will always contain 
enough spare resources so that any host 
can crash and its VMs can still power on 
atop surviving cluster hosts, but this isn't 
always the case—you might have too little 
hardware or too many VMs. Your Admis¬ 
sion Control setting should depend on 
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Figure 2: Creating a Cluster 


the availability and performance needs 
of your VMs. It's easiest to explain this 
situation with an extreme example. Think 
about a cluster that has four hosts, and 
all four hosts are running VMs—so many 
VMs that each host is fully loaded, at 100 
percent utilization. 


Should Host Number 2 fail, VMware 
HA's job is to relocate VMs to each of the 
remaining three hosts wherever spare 
capacity exists. In this case, however, 
the cluster's remaining three hosts are 
already at 100 percent utilization. By 
adding the load of Host Number 2's VMs 


to the remaining three hosts, 
VMware HA would create a situ¬ 
ation in which the performance 
of every VM suffers—not a great 
result. The loss of a single host 
in a poorly designed cluster can 
cause much bigger problems 
than just losing that host. If you 
want high availability, your clus¬ 
ter must always be built with 
some spare capacity that remains 
unused just for if a host fails. 

Look at the options for Admis¬ 
sion Control in Figure 3. If you dis¬ 
able Admission Control, VMs will 
be powered on even if there aren't 
enough resources. This sounds 
like it would always be a bad idea, 
but a situation could exist where 
you'd want this. For example, maybe you 
can't afford the additional hardware the 
cluster needs to support failover, but you 
must ensure that VMs are restarted, even if 
performance suffers. In this case, disabling 
Admission Control trades performance 
for availability. Most IT pros don't want 
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Figure 3: Admission control 


to be in this situation, however, which is 
why Admission Control's default setting 
is enabled. 

You probably want both performance 
and availability, and you have the budget 
to ensure that you've got enough hardware 
lying around. If this describes your situa¬ 
tion, you'll be enabling Admission Con¬ 
trol. Admission Control lets the cluster 
manage how many of your resources must 
be kept in reserve. Handing this respon¬ 
sibility to the cluster frees you from con¬ 
stantly measuring available resources and 
what your VMs need. Allowing Admission 
Control to manage resource levels lets it 
tell you when its resources have all been 
assigned, either to VMs or to reserve 
capacity. Figure 4 shows the three policies 
at your disposal. 

The first policy is Host failures cluster 
tolerates. Selecting this policy instructs the 
cluster to reserve an amount of resources 
that's equal to the specified number of 
hosts. By setting this value to 1, as I did 
in the example, your cluster will set aside 
a quantity of resources that is equal to its 
most powerful host. By doing this, your 
cluster will always be assured that it can 
fail over VMs when a host fails. 

(As a side note, this process of identify¬ 
ing resources uses a calculation involving 
"slots,” which are logical representa¬ 
tions of memory and CPU resources. A 
deeper discussion about slot calcula¬ 
tions is out of scope for this article, but 
you can learn more about how they are 
calculated by taking a look at Duncan 


Epping's excellent explanation at tinyurl 
.com/bcc692.) 

An important point about cluster size 
is that setting a failover reserve makes 
smaller clusters suffer more "waste." Set¬ 
ting this value to 1 sets aside as unus¬ 
able one entire server's contribution of 
resources in case of host failure. This is 
both good and bad. It's good because if 
you lose a host, its VMs always have a 
place to relocate. It's bad because your 
four-host cluster now functionally oper¬ 
ates as a three-host cluster. 

Increasing the number of hosts in a 
cluster reduces the overall percentage of 
waste. That four-host cluster must reserve 
25 percent of itself for failover, but setting 
aside one host in a 10-host cluster requires 
only 10 percent of the cluster, and with 20 
hosts, the reserve is only 5 percent. 

You don't have to set aside that full 
percentage—that's one reason you can 
choose the Percentage of cluster resources 
reserved as failover spare capacity setting. 
Rather than setting aside a certain num¬ 
ber of hosts' resources, the second policy 


Host: failures duster tolerates: 

^ Percentage of duster resources 
reserved as failover spare capadty: 

C Spedfy a failover host: 


identifies a percentage of overall cluster 
resources to reserve. 

Let's return to the extreme example 
from earlier. That four-host cluster's per¬ 
centage should be set to 25 percent to 
protect every VM. But you might not care 
about protecting every VM because some 
VMs just aren't that critical. Should you 
lose a host, these less-important VMs can 
stay powered off until the problem is fixed. 
This reduces how many cluster resources 
you'll need to reserve. Consider using 
Percentage of cluster resources reserved 
as failover spare capacity if this situation 
describes your environment. Also use this 
setting if you want more exact control over 
the percentage of resources to reserve. 

You'll generally choose one of these first 
two Admission Control policies. Remem¬ 
ber that with the first option, your cluster 
will always maintain the correct quantity of 
resources to be held in reserve, even as you 
add hardware over time. With the percent¬ 
age option, on the other hand, you'll prob¬ 
ably need to make adjustments as you add 
more hardware. Remember that percent¬ 
ages decrease as the number of hosts goes 
up, and adjust your configured percentage 
as you add hardware. 

The third setting, Specify a failover host , 
is rarely used. This setting uses no dynamic 
management and instead lets you select 
a specific host that will always remain in 
reserve for failover—effectively telling the 
cluster never to use that host during nor¬ 
mal operations. This option isn't generally 
the best configuration because it forbids 
the cluster from balancing its reserve inter¬ 
nally and across multiple hosts. 

Setting VM Options 

Figure 5 shows the second VMware HA 
configuration screen, Virtual Machine 
Options. It has two settings that define the 
behavior of VMs during specific failure 


25 % 


3 

Figure 4: Admission Control Policy 


Admission Control Policy 

Spedfy the type of policy that admission control should enforce. 
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Figure 5: Virtual Machine Options 



Figure 6:VM Monitoring 


situations. Both settings represent overall 
policy settings. You can adjust individual 
per-VM settings for each after the cluster 
is created. 

The VM restart priority setting can be 
set to Low, Medium, or High. Recall that 
in a high-availability situation, VMs will be 
restarted on surviving cluster hosts after a 
failure. When this happens, you might want 
certain VMs to restart before others, in case 
you run out of resources. Configuring this 
setting defines what the default will be for 
all VMs, giving each VM a level playing field 
for its restart order. After you've created the 
cluster, you should adjust each VM's restart 
policy inside the properties of the cluster. 
VMs set to High will be restarted before 
those set to Medium or Low. 

The other setting on this wizard screen, 
Host Isolation response, requires careful 
consideration. Remember that a cluster is 
considered healthy when each of its hosts 
can communicate with the others. Should 
a cluster node fail, the others will recognize 
that the failed host is no longer sending 
a heartbeat, and the cluster will attempt 
to use VMware HA to evacuate VMs onto 
surviving hosts. 

But what if a host hasn't actually failed 
but instead has lost its network connectivity 
with the rest of the cluster? This situation is a 


very real possibility due to the many different 
network connections an ESX cluster uses. Its 
VMs are still running. In that situation, the rest 
of the cluster sees that the host has failed, even 
though it actually hasn't. At the same time, the 
isolated host sees that it is no longer receiv¬ 
ing a heartbeat response from other cluster 
nodes. What should it do to those VMs? 

The answer to that question is configured 
with the Host Isolation response setting. Your 
options are Leave powered on, Power off, 
and Shut down. Will an isolated host leave its 
VMs powered on, will it gracefully shut them 
down, or will it ungracefully power them off, 
not unlike hitting the VM's power button? 

You might think the most appropriate 
course of action is to leave VMs powered 
on. This can be good if you must ensure 
that VMs stay alive. But the problem is that 
those VMs are now running on a cluster 
host that isn't participating in the cluster. 
VMware HA on the surviving cluster hosts 
is likely attempting to fail over those VMs, 
but because they're still running, file locks 
inside VMFS prevent the VM from being 
failed over. This can cause problems. 

As a result, it's generally a good practice 
to configure this setting to Power off. Even 
though this setting means you'll lose VMs 
during an isolation event, powering VMs 
down frees their locks so that surviving 


cluster hosts can fail them over. Once 
they're failed over, you can fix the isolated 
host and rejoin it with the cluster. 

Just like with VM restart policy, this 
option sets the default behavior for all VMs 
in the cluster. You'll be able to configure 
individual VM behaviors inside the proper¬ 
ties of the cluster after it is created. 

VM Monitoring 

The final VMware HA wizard screen, shown 
in Figure 6, is VM Monitoring. These set¬ 
tings determine whether to enable moni¬ 
toring on individual VMs, as opposed to 
individual hosts, which was configured 
earlier. They also define what the sensitivity 
of that monitoring will be. 

By default, VM monitoring is disabled, 
because VM monitoring will restart a VM 
if its heartbeat isn't heard. That heartbeat 
can be prevented in several situations, 
some of which have nothing to do with 
problems in the VM. For example, a failure 
in the VMware Tools or a misconfigura- 
tion of the VM's network card can prevent 
heartbeats from being received. In either 
case, even though the VM is functioning 
perfectly well, its lack of communication 
can cause vCenter to restart the VM. It's 
generally a good idea to leave this function¬ 
ality disabled until you have a very good 
understanding of its implications. As with 
the others, you can always make changes 
after the cluster is created. 

More Complicated than You'd Think 

For a service that simply reboots VMs on sur¬ 
viving cluster hosts, VMware HA is a complex 
beast. Plan carefully! Ensure that you've got 
the spare host capacity to reserve for failover. 
Not having enough hardware can combine 
with VMware HA's Admission Control polices 
to create a big headache down the road. Even 
when you enable VMware HA, make sure 
you configure its settings carefully. Explore 
your available options well and think through 
your configurations before you click Turn On 
VMware HA. 

InstantDoc ID 128828 


Greg Shields 

(virtualgreg@concentratedtech.com) 
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FEATURE 


W indows PowerShell provides native capabilities for string pattern matching and string 
replacement through its comparison operators. However, PowerShell doesn't have a 
native cmdlet for replacing strings of text in files, so I wrote the Replace-FileString.ps 1 
script to fill this void. After I show you how to take advantage of PowerShell's native 
capabilities, I'll show you howto use Replace-FileString.ps!. 


Script fills 
void left from 
missing cmdlet 


PowerShell's Native Capabilities 

PowerShell's -like, -match, and -replace operators make matching and replacing strings much more 
accessible to nonprogrammers. PowerShell's command line provides users with the ability to experi¬ 
ment with .NET regular expressions with greater ease than with traditional scripting languages. A 
regular expression (sometimes referred to as regex ) is a string that contains special characters or 
character sequences that represent other characters or character sequences. Regular expressions are 
similar to wildcard patterns but are much more expressive. If you're not familiar with regular expres¬ 
sions, the PowerShell Help topic about_regular_expressions can help you get started learning about 
them. To view the help topic, type 


by Bill Stewart 


Get-Help about_regular_expressions 
at a PowerShell prompt. 

An obvious application for regular expressions is to replace strings in files. For example, suppose 
you want to extract only the computer names from the output of a Net View command. If you run 
the command 


Net View > List.txt 

then open the List.txt file in Notepad, you'll notice all kinds of extraneous information such as column 
headings, extra spaces at the end of each line, and a footer line that tells you the command completed 
successfully. Using regular expressions in PowerShell, you can extract and output only the computer 
names. Take, for example, the command 


Get-Content List.txt | 

Where-Object { $_ -match ' A \\\\' } | 
ForEach-Object { $_ -replace 
, A\\\\(\S+). + V$l' } 
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Table 1: 

Patterns in the Extraction Code 

Pattern 

Description 

A \\\\ 

Refers to a line starting with two backslashes. 

(\S+) 

Groups one or more non-whitespace 
characters (i.e., the computer name) for use in 
the replacement string. 

.+ 

Refers to one or more of any other 
character (i.e., the trailing characters after 
the computer name). 

$1 

Refers to the first instance of the grouped 
expression (i.e., \S+) 


(Although this command wraps here, you'd 
enter it all on one line in the PowerShell 
console. The same holds true for the other 
commands that wrap.) The Get-Content 
cmdlet retrieves each line in List.txt. The 
Where-Object cmdlet then uses the -match 
operator to check whether each line starts 
with two backslashes. If a line starts with 
two backslashes, it's passed to ForEach- 
Object cmdlet, which uses the -replace 
operator to output only the computer 
names. 

Let's take a closer look at the -match 
operator, which is used with the pattern 
A \\\\. The caret symbol ( A ) indicates that 
you want to match the beginning charac¬ 
ters. Because the backslash is the escape 
character for regular expressions, you have 
to use two backslashes (\\) to represent 
a single backslash (\). Thus, you need to 
include a total of four backslashes. Table 1 
describes this and other regular expression 
patterns used in this command. 

Replace-FileString.psI 

When working with text files, it's often 
useful to be able to replace strings in a file 
using regular expressions, then write the 
results back to the original file. Because 
there isn't a PowerShell cmdlet that pro¬ 
vides this functionality, I wrote Replace- 
FileString.ps 1. It's a PowerShell equivalent 
to opening a file with Notepad, doing a 
find-and-replace operation, and saving the 
file. But unlike Notepad, you can use this 
script to replace strings in multiple files at 
the same time. 

Replace-FileString.psI supports search¬ 
ing across line breaks because it uses the 
ReadAllText method of the Windows .NET 
Framework's System.IO.File class instead 
of the Get-Content cmdlet to read in text. 
Unlike Get-Content, which reads only one 
line of a file at a time, the ReadAllText 


method reads each file as a single 
string, so it can find strings across 
line breaks. (Because each file is 
one string, the script might run 
slow for very large files.) 

Replace-FileString.psI requires 
PowerShell 2.0. The script's com¬ 
mand-line parameters are listed in 
Table 2. In addition to the parame¬ 
ters listed in Table 2, the script also 
supports the -Confirm, -Verbose, 
and -Whatlf common parameters. 
There are two required parameters: 
-Pattern and -Replacement. You also need 
to specify the file in which you want to find 
and replace strings. There are two ways you 
can do so. The first way is to use the -Path 
or -LiteralPath parameter in a command 
such as 

Replace-FileString 
-Pattern 'this' 

-Replacement 'that' 

-Path Test.txt 


Typically, you don't need to use the 
-LiteralPath parameter unless you need 
to specify a path or filename that con¬ 
tains characters that PowerShell normally 
interprets as wildcards. (Square braces, [ ], 
are the usual culprits.) 

The second way is to pipe file objects to 
the script by using a command such as 

Get-Item Test.txt | Replace-FileString 
-Pattern 'this' -Replacement 'that' 

To demonstrate how to use Replace- 
FileString.psI, let's look at three sample 
applications. I'll show you how to use 
the script to convert Net View output to a 
comma-delimited list of computer names, 
replace data in .ini files, and replace an 
LDAP path in a set of scripts. 

Sample Application 1 

Suppose you need to convert Net View 
output to a comma-delimited list of com¬ 
puter names. To begin, you can use the Net 


Table 2:The Replace-FileString.psI Script's Parameters 

Parameter 

Description 

-Pattern 

Specifies the regular expression pattern. 

-Replacement 

Specifies the replacement pattern. 

-Path 

Specifies the path to one or more files. Wildcard characters 
are permitted. The -Path and -LiteralPath parameters are 
mutually exclusive. You can omit this parameter if you 
pipe file objects to the script. 

-LiteralPath 

Specifies the path to one or more files. The value of this 
parameter is used exactly as it is typed. No characters are 
interpreted as wildcards. The -LiteralPath and -Path 
parameters are mutually exclusive. 

-CaseSensitive 

Makes pattern matching case-sensitive. The default is to 
ignore case. 

-Multiline 

Changes the meaning of A and $ so that they match the 
beginning and end, respectively, of any line. The default is that 

A and $ match the beginning and end, respectively, of the 
entire file. 

-UnixText 

Causes $ to match only line feed (\n) characters. By default, $ 
matches carriage return+line feed (\r\n). (Windows-based text 
files usually use \r\n as line terminators, while UNIX-based text 
files usually use only \n.) 

-Overwrite 

Overwrites a file. It first creates a temporary file containing all 
replacements, then replaces the original file with the 
temporary file. The default is to output but not overwrite. 

-Force 

Allows overwriting of read-only files. Note that this parameter 
can’t override security restrictions. 

-Encoding 

Specifies the encoding for the file when -Overwrite is used. 
Possible values are ASCII, BigEndianUnicode, Unicode, UTF7, 
UTF8, and UTF32. The default value is ASCII. 

-Confirm 

Prompts before overwriting a file if using -Overwrite. 

-Whatlf 

Outputs what the script would do instead of doing it if using 
-Overwrite. 
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Listing 1: Command to Modify the MyApp.ini Files 


Get-Content Clients.txt | ForEach-Object { 

Get-Item "\\$_\C$\Program Files\My Application\MyApp.ini" } | 
Replace-FileString -Pattern 'Server=appserverl(\r\n)Port=7840' 
-Replacement 'Server=appserver2$lPort=8740' -Overwrite 


Table 3: Patterns for Sample Application 2 

Pattern 

Description 

(\r\n) 

Groups a newline (carriage return and line feed) for use in 
the replacement string. 


$1 Refers to the first instance of the grouped expression (i.e., 

the newline). 


[MyAppl i cati on] 

Server=appserverl 

Port=7840 

ThisComputer=acctl5 


Figure 1: MyApp.ini 

View command combined with the -match 
and -replace operators to generate a list of 
computer names, like so 

Net View | Where-Object { 

$_ -match 'AWW } | 

ForEach-Object { 

$_ -replace 

, A\\\\(\S+).+ , I , $l' } | 

Out-File Computers.txt 

(See Table 1 for the descriptions of the regu¬ 
lar expression patterns.) The Computers 
.txt file now contains the computer names 
from the Net View command, one computer 
name per line. Next, you can have Replace- 
FileString.ps 1 replace the newlines in the 
file with commas by using the command 

Replace-FileString 
-Pattern '\r\n' 

-Replacement 
-Path Computers.txt 

This command replaces all \r\n (carriage 
return and line feed) characters in the 
file with commas and outputs the file. 
If desired, you can add the -Overwrite 
parameter to replace the original file with 
the modified copy, like so 

Replace-FileString 
-Pattern '\r\n' 

-Replacement 

-Path Computers.txt 

-Overwrite 

Sample Application 2 

Suppose that you have a client-server appli¬ 
cation called MyApplication. Numerous 
computers in the network use the client 
application to con¬ 
nect to appserverl on 
TCP port 7840. Due to 
a security breach, the 
security administrator 
has dictated that the 
server portion of the 
Figure 2: Clients.txt application should 


now run on a dif¬ 
ferent server (app- 
server2) and use 
a different port 
(8740). The client 
application stores 
the name of the 
server and TCP port 
in the C:\Program 
Files\My Applica- 
tion\MyApp.ini file. 

Figure 1 shows the 
relevant section of 
MyApp.ini for the computer named acctl5. 

You can't simply roll out an updated 
copy of the MyApp.ini file to the affected 
client machines because this file contains 
client-specific information (in this case, 
the computer name). Instead, you can use 
Replace-FileString.ps 1 to update the .ini 
files on the affected computers. 

First, you need to place the computer 
names that run the client application in a 
text file, one computer name per line, in a 

PowerShell doesn't 
have a native cmdlet 
for replacing strings 
in files, but you 
can use Replace- 
FileString.psI to fill 
this void. 

file called Clients.txt (see Figure 2). Then, 
you can use the command in Listing 1 to 
modify the MyApp.ini files. 

In this command, the Get-Content cmd¬ 
let retrieves each computer name in Clients 
.txt. The ForEach-Object cmdlet retrieves 
the MyApp.ini file on each computer using 
the Get-Item cmdlet. Finally, the com¬ 
mand uses the retrieved file object as 
input for the Replace-FileString.ps 1 script. 
Using the pattern and replacement strings 
described in Table 3 along with the -Over¬ 
write parameter, the script updates MyApp 
.ini with the changes. Because the .NET 
regular expression engine doesn't support 
escape sequences (such as \r and \n) in 
the replacement string, this command uses 
parentheses and $1 to insert the line break. 


Sample Application 3 

Suppose you downloaded a set of sam¬ 
ple system management VBScript scripts 
from a website to C:\SampleScripts on 
your computer. All the scripts contain the 
sample LDAP path DC-fabrikam,DC-com. 
Rather than edit the sample scripts one at 
a time, you can use Replace-FileString.ps 1 
to replace the sample LDAP path with your 
network's LDAP path. To do so, you just 
need to run the command 

Replace-FileString 

-Pattern 'DC=fabrikam,DC=com' 
-Replacement 'your LDAP path' 

-Path C:\SampleScripts\*.vbs 
-Overwrite 

where ‘your LDAP path' is your network's 
LDAP path. 

Easily Edit Files with Regular 
Expressions 

PowerShell doesn't have a native cmdlet for 
replacing strings in files, but you can use 
Replace-FileString.ps 1 to fill this void. This 
script makes it easy to replace strings in one 
or more files using regular expressions. You 
can download Replace-FileString.psl by 
going to www.windowsitpro.com, entering 
126454 in the InstantDoc ID box, clicking 
Go, then clicking the Download the Code 
Here button. ^ 

InstantDoc ID 126454 
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M icrosoft Exchange Server 2007 marked a dramatic departure for Microsoft in several 
ways: It consigned the x86 architecture to the dustbin of computing history; it made 
dramatic changes to the way Exchange high availability works; and it added inte¬ 
gration with voicemail and faxes. This last item, which Microsoft called Exchange 
Unified Messaging (UM), was seen as the least revolutionary of all the Exchange 
2007 changes because it largely duplicated features that third parties had already 
been offering in various ways. 

However, Exchange 2007 UM was better-integrated, faster, and more robust than its third-party 
competitors. Because it was integrated directly with the Exchange transport and store architecture, 
it was able to deliver messages directly to user mailboxes without the need for IMAP-based polling, 
and it tied into Active Directory (AD) to provide dial-by-name capability based on the contents of the 
Global Address List (GAL). It was lacking a few features, such as the ability to trigger the message wait¬ 
ing indicator (MWI) on PBX-connected phones, but overall it was a significant upgrade to the state of 
UM for Exchange. The fact that most naysayers missed was that the architecture of Exchange 2007 UM 
laid the groundwork for some compelling features that couldn't feasibly be delivered by third parties. 
Now, with the release of Exchange 2010, we have the proof of that fact. 

When the Phone Rings: A Recap 

Exchange 2010 answers incoming calls in the same basic way that Exchange 2007 does. An incoming 
call is routed to the Exchange UM server by a PBX, Microsoft Office Communications Server (OCS), or 
a VoIP gateway. (Hereafter I'll refer to whatever device operates the phone system as a PBX, even if it's 
really OCS.) The PBX has a set of instructions that specify what should happen when a call for a given 
extension isn't answered. These instructions can specify different actions for calls to busy extensions 
and those that aren't answered within a certain time. In this case, let's say that the called extension 
goes unanswered. Following its instructions, the PBX transfers the call to the UM server, which accepts 
the call request—provided it comes from a known UM IP gateway—plays the appropriate greeting, 
and records the response. 

An alternative scenario occurs when you're using Exchange to provide automated attendant func¬ 
tionality. In this case, you set the PBX to route all incoming calls to the auto attendant pilot number on 
the Exchange server. The UM server answers all calls to the pilot number with a standardized greeting, 
then lets callers perform dial by name, transfer to other auto attendants, and so on. 

Some aspects of these behaviors have changed in Exchange 2010, but the overall call-answering 
flow is unchanged. In this article, I'll discuss just the changes to the flow where they're pertinent. 


Voice Mail 
Preview, a 
messaging 
waiting 
indicator, and 
improved 
language 
support add to 
Exchange's UM 
capabilities 

by Paul Robichaux 


Fax: Gone But Not Forgotten 

Let's start with the easiest change to describe: Exchange 2010 UM no longer includes support for fax 
reception through a local PBX. The fax feature set of Exchange 2007 was a great idea that was somewhat 
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before its time: The idea of integrating fax 
with Exchange was a good one, but it 
came at a time when overall usage of fax 
was declining and when companies such 
as OpenText were shipping full-featured 
fax-integration products. Getting it to work 
depended on having the right PBX properly 
configured, and it didn't offer features that 
competing third-party solutions provided. 
More important, because Exchange 2007 
included only fax reception, customers who 
wanted full fax functionality still had to 
deploy another solution to provide faxing 
from the desktop. By the time the expense 
and difficulty of doing so were factored in, 
it was often more cost-effective to deploy 
a third-party fax system than to deploy 
Exchange UM just for the fax feature. 

However, Exchange 2010 still receives 
faxes after a fashion. Exchange 2007 lis¬ 
tens for the T.38 CNG (calling number 
generated) tone, an 1100Hz sound that fax 
machines use to signal to each other. When 
it receives the CNG tone, it treats the call as 
a fax and tries to receive it as a T.38 stream. 
Exchange 2010 does things a bit differently; 
there are actually three ways an incoming 
fax can trigger the answering. Before we 
can discuss them, though, I need to point 
out that UM call answering is typically a 
two-stage process. The PBX or IP gateway 
sends a SIP INVITE message to Exchange, 
which responds and answers the call. The 
two sides agree on a set of parameters for 
the conversation, then exchange audio 
data using the Real-time Transport Proto¬ 
col (RTP). 

The first, and simplest, method for 
Exchange 2010 to detect a fax call is that 
Exchange itself can detect the CNG tones. 
It can't do this until after it's answered the 
call, however. The second method is that 
the IP gateway or PBX can notice the CNG 
tones in the incoming audio stream, at 
which point the gateway sends a notifica¬ 
tion to Exchange in the RTP audio stream 
that essentially says, "Hey, this is a fax call!" 
Exchange then sends a SIP REFER message 
to the gateway or PBX, which transfers 
the call to the fax over IP (FoIP) provider. 
The most complex process occurs only 
with gateways that don't support dynamic 
notification of the T.38 protocol in RTP. 
In this case, the gateway sends a new 
SIP INVITE to Exchange with a different 
RTP profile—the one for fax—specified. 
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Exchange puts the gateway on hold, then 
sends the SIP REFER message to have the 
call transferred. 

How does Exchange know where to 
send the fax? You have to specify the URL 
of the fax service you want to use as part of 
the UM dial plan. After that's been done, 
you can control whether users can receive 
faxes by adjusting the Allow inbound faxes 
option either on the dial plan or on a 
UM mailbox policy. Exchange redirects 
the call, with its original caller and callee 
data intact, to the FoIP provider. The fax 
provider accepts the fax, then returns it 
to Exchange as an email message, usually 
with a TIFF (.tif) attachment. That might 
seem like an odd choice of attachment 
format, but the TIFF standard specifies a 
way to produce multipage attachments in 
a single file, making it a decent choice for 
fax transmission. 

Additional language 
support makes 
Exchange 2010 
much more useful 
for global deploy¬ 
ments, as well as to 
organizations that 
depend on being 
able to handle call¬ 
ers with languages 
other than English. 

This process provides for a more effi¬ 
cient means of distributing inbound faxes 
to recipients; the Exchange 2007 method 
of delivering all faxes to one place was a 
hassle for recipients. There are several fax 
services that support Exchange 2010 fax 
reception, giving you a choice of service 
terms and prices. Microsoft maintains 
a list of FoIP partners on its Exchange 
Independent Software Vendors web page 
(www.microsoft.com/exchange/2010/ 
en/us/independent-software-vendors 
.aspx#unified). Customers moving to 
Exchange 2010 who have already deployed 
Exchange 2007 fax reception will find that 


they have no choice but to move to a fax 
service even if they don't want to. One 
additional note I should point out is that 
this integration doesn't work—and thus 
faxes cannot be received—if you're using 
OCS 2007 R2 as your PBX solution. 

Language Support 

Exchange 2007 includes two types of 
speech capability: automatic speech rec¬ 
ognition (ASR) and Text-to-Speech (TTS). 
In addition, Exchange UM uses prere¬ 
corded audio prompts that give callers 
information and instructions. These three 
features are all language-specific, and 
they're bundled together into language 
packs. Installing, say, the French language 
pack on a UM server enables the server 
to provide ASR, TTS, and prerecorded 
prompts in French. 

However, not all Exchange 2007 lan¬ 
guage packs include ASR. For example, the 
Mandarin Chinese language pack provides 
TTS support, but no ASR. In fact, only the 
English language packs (for British, Aus¬ 
tralian, and American dialects) include 
full ASR. This limitation has been a major 
blocker for UM deployment in large multi¬ 
national enterprises. The solution, though, 
wasn't entirely up to the Exchange team. 

Both ASR and TTS capabilities are pro¬ 
vided by the Speech Server core. Speech 
Server was a separate product until about 
2005, at which point it was removed from 
Microsoft's product catalog and rolled into 
what became OCS. Its core was built into 
OCS 2007 and Exchange 2007. In fact, 
the Exchange 2007 UM role is in large 
measure a custom Speech Server applica¬ 
tion. Exchange 2010 uses a much newer 
version of Speech Server (which is also 
present in OCS 2007 R2). Exchange 2010 
currently supports ASR, TTS, and prompts 
for Simplified and Traditional Chinese; 
Dutch; British, Australian, and American 
dialects of English; Canadian and tradi¬ 
tional French; German; Italian; fapanese; 
Korean; Brazilian Portuguese; Spanish (in 
both Catalan and Latin American dialects); 
and Swedish. Language packs have been 
promised for several additional languages 
and dialects, including Indian English, 
Russian, and Hong Kong Chinese. These 
additions make Exchange 2010 much more 
useful for global deployments, as well as to 
organizations that depend on being able to 
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handle callers with languages other than 
English. 

Changes to Caller ID Resolution 

One of the most useful features of Exchange 
UM is its ability to resolve callers' phone 
numbers to give you information about 
who called as well as a set of links to 
return the call. Every call that comes to the 
UM server should contain calling line ID 
(CLID) data that indicates the source of the 
call. Note that the PBX or gateway could 
mangle or even omit CLID data, in which 
case Exchange won't be able to resolve the 
number; in some locales, it's possible that 
the CLID data wasn't delivered to the PBX 
or gateway by the phone system, although 
this is becoming more and more rare. 

The easiest case to resolve is one in 
which the caller's name is known because 
he or she is using Outlook Voice Access 
to place a call, or the user is calling from 
Communicator or a Communicator Phone 
Edition phone. These methods require the 
user to be authenticated, so Exchange can 
identify the caller. 

Failing that scenario, Exchange uses a 
special type of proxy address known as the 
Exchange UM (EUM) proxy address. The 
EUM proxy for a given user is essentially 
that user's extension number coupled with 
the Fully Qualified Domain Name (FQDN) 
of the dial plan that hosts the user. For 
example, 1006@pa-hq.corp.contoso.local 
is the EUM proxy address for the user who 
owns extension 1006 in the "pa-hq.corp 
.contoso.local" dial plan. 

Exchange tries to match the CLID data 
against a number of sources. It begins 
by constructing an EUM address with 
the CLID information, then checking it 
against the called party's dial plan. This 
step catches the case where a user in one 
dial plan calls another user in the same dial 
plan. If that match fails, the constructed 
proxy is tested against other available dial 
plans in the organization, covering the case 
where a user in one dial plan makes an 
internal call to a user on another dial plan. 

If that method doesn't find a match, the 
caller's EUM proxy is checked to see if it 
looks like a valid Session Initiation Protocol 
(SIP) Uniform Resource Identifier (URI), 
such as sip:paul@robichaux.net. If it con¬ 
tains an @ character, it's checked against 
a list of known SIP proxy addresses. If it's 
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not found, or if the EUM proxy contains a 
+ character, it's normalized to E.164 format 
and checked again, this time using the 
msExchUMCallingLinelDs attribute in AD. 
You have to manually populate this attri¬ 
bute by using the Set-User cmdlet with the 
-UMCallingLinelds parameter; using this 
attribute is a useful way to store a phone 
number that can be matched against call¬ 
ers without being visible to users. If there's 
no match, the msRTCSIP-Line attribute 
is checked; this attribute is present only if 
OCS 2007 (or a later version) is installed 
and the caller has an extension registered 
with OCS. 

If the number still isn't matched, the next 
step is to look it up in AD. Every user object 
in AD has several potential phone numbers: 
There are attributes named telephoneNum- 
ber, otherTelephone, homePhone, mobile, 
and more, but they're not indexed, meaning 
that searching against them is inefficient. 
So, you can control whether AD matching 
is possible by setting the AllowHeuristic- 
ADCallingLineldResolution attribute on 
the dial plan. This attribute is enabled by 
default in Exchange 2010 SP1. 

Although searching AD sounds like a 
great solution, there's one problem with 
it: If you haven't used a consistent and 
correct format to put the numbers in, you 
won't get predictable—or even necessarily 
correct—results. Microsoft suggests you 
use E.164 format for these numbers even 
if you're not using OCS or another SIP 
system that requires it. You can use the 
-NumberingPlanFormats attribute on the 
dial plan to specify a mask that Exchange 
will use in converting whatever format 
you're using into something else. 

Lastly, the caller EUM proxy is checked 
against the user's personal Contacts folder 
if Contacts resolution is turned on for the 
dial plan. Exchange 2010, sadly, doesn't 
provide a way to match caller ID data 
against public folders with contact data, 
though. 

At this point, one of two things is true. 
If Exchange found a matching user, the 
user's name will be displayed, and what¬ 
ever phone numbers could be located will 
be included in the voicemail or missed- 
call notification message. If any number 
matches, all of the user's numbers will be 
displayed; for example, if the user's work 
number matches, the resulting message 
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(with its click-to-call links) will include all 
numbers defined for that user. If the num¬ 
ber couldn't be matched, only the number 
will be displayed. 

Text Preview for Voicemail 

Voice Mail Preview is a cool new Exchange 
2010 feature that attempts to take some of 
the mystery out of voicemail. Think about 
it: When you get a voicemail, you might 
know who it's from (or you might not, 
depending on whether caller ID matching 
worked), but you have no way to know 
whether the message is important or not 
without listening to it. Depending on 
where you are, listening to the message 
could be difficult or impossible; in many 
situations, you can peek at the contents 
of an email message more easily than 
you can listen to a voicemail. Voice Mail 
Preview bridges this gap by perform¬ 
ing a speech-to-text transcription of the 
message. 

The first question most people have is 
whether the text preview is accurate. The 
answer: sometimes yes, sometimes no. 
Transcription accuracy depends on many 
factors, including sound quality, how fast 
the speaker talks, and whether the person 
has a strong accent. 

One complaint often levied about 
Exchange 2007 UM is that it was mostly 
English-only. Therefore, the second ques¬ 
tion often asked about Voice Mail Preview 
is whether it is limited to US English. The 
answer here is a definite no; each UM 
language pack includes support for Voice 
Mail Preview. However, the language used 
for transcription is based on the language 
set for the dial plan of the called party's 
extension. Therefore, if a French-speaking 
user calls a UM user whose extension is 
in a dial plan that's set to Latin American 
Spanish, Exchange attempts to transcribe 
the French message as Spanish, with hilari¬ 
ous and inaccurate results. This restriction 
aside, having multilingual capability for 
this feature is a welcome addition. 

Protected Voicemail 

Legacy voicemail systems have long offered 
the ability to mark a message as private. 
Private messages can't be forwarded to 
other users. Exchange 2010 offers a similar 
capability: When you leave a voicemail 
message, you can choose to mark it as 
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private, and Exchange applies an Active 
Directory Rights Management Service (AD 
RMS) template to it that prevents clients 
from forwarding it. Of course, this feature 
requires you to have AD RMS installed and 
running—no small task. 

You can enable protected voicemail 
separately for authenticated and unauth¬ 
enticated callers, and you can even force all 
voice messages to be protected. You can't, 


however, control which AD RMS template 
is applied; you always get the Do Not For¬ 
ward template. 

Protected voice messages can be played 
only by compatible clients. By default, Out¬ 
look Web App (OWA) 2010 and Outlook 
2010 can play them by using their built-in 
inline media player component. However, 
if you prefer, you can force users to listen 
to protected messages with Outlook Voice 
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Access or Play on Phone; this choice is both 
the most secure route and the most useful, 
given that Mac OS X and Linux clients as 
well as mobile devices won't be able to play 
these messages in unaltered form. 

Message Waiting Indicator 

Legacy voicemail systems offer another 
feature that Exchange 2007 didn't include: 
a method of signaling users that a message 
is waiting. The MWI feature varies from 
PBX to PBX. Some systems light a lamp 
on the phone; others turn on a stutter dial 
tone. 

Exchange 2010 supports MWI notifica¬ 
tion; when you enable it, the Exchange 
UM server sends a notification to the 
PBX whenever a covered mailbox gets a 
new voicemail. The notification itself is 
generated when the contents of the Voice 
Mail search folder (which is automatically 
created on user mailboxes when they're 
UM-enabled) change. The UM server sub¬ 
scribes to that folder, so any time a voice- 
mail arrives or is removed, the UM server 
receives a notification and can send the 
appropriate notification to the PBX. 

What happens to it after that is up to the 
PBX—and whatever devices are connected 
to it. The convenience of having voicemail 
messages in the same Inbox as everything 
else seems to remove the need for this 
feature, but it's critical to some users; I've 
seen more than one Exchange 2007 UM 
deployment put on hold until a third-party 
MWI solution could be integrated. 

Building on the Foundation 

Exchange 2010 UM builds on the technical 
foundation of Exchange 2007 UM and adds 
some impressive new features. The widely 
expanded language support, ability to keep 
voice messages private, and Voice Mail 
Preview add convenience and flexibility to 
an already useful product. ^ 
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W hen things go wrong with Active Directory's (AD's) Kerberos implementation, trou¬ 
bleshooting can be a daunting task. Ninety-nine percent of the time, everything 
just works—so opportunities to practice troubleshooting are limited. When you do 
need to solve a problem, it's important to have a good technical understanding of 
the protocol. One of Kerberos's most complicated configurable components is the 
concept of delegation. 

In a nutshell, delegation lets a user access an application, and then the application accesses 
another service in the context of the user. A common example is a website that accesses a SQL Server 
database. Rather than access to the database occurring each time in the context of a service account, 
each request to the database is made in the context of the user accessing the website. 

For background information about Kerberos in AD, see "Kerberos in Active Directory," InstantDoc 
ID 125786. For the purposes of this article, let's assume that your AD forest is running at the Windows 
Server 2003 or better functional level and that your application servers are running Server 2003 or 
later, unless otherwise noted. Server 2003 introduced numerous improvements to the Kerberos 
implementation in AD. 


Learn how 
delegated 
authentication 
works 

by Brian Desmond 


Kerberos Delegation 

At a conference I recently presented at on the topic of Kerberos delegation, I asked the audience to 
raise their hands if they had ever had to configure Kerberos delegation. A large portion of the audience 
raised their hands. I subsequently asked those with their hands raised to leave them raised if they 
had gotten the delegation configured properly on the first attempt. Only a couple of hands remained 
raised. Unfortunately, little documentation exists on the topics of delegation and constrained delega¬ 
tion. But delegation configuration is a critical component of many enterprise applications. 

As I mentioned earlier, the most common example of implementing delegation is to access an 
application (usually a web application) that subsequently accesses a resource such as a SQL Server 
database. In order to access the database, the application has to use credentials to make the connec¬ 
tion. A common approach is to connect via a dedicated service account that has read and write access 
to all the necessary data in the database, as Figure 1 shows. The application is then responsible for 
managing access controls to the data itself because the service account has access to everything. 

Another option is for the data to be controlled using SQL Server's native access management capa¬ 
bilities on a per-user or per-group basis. In order for the controls to be effective, the application needs 
to make the connection in the context of the user who is accessing the application, as Figure 2 shows. 
The process under which this occurs is known as Kerberos delegation, or more frequently Kerberos 
constrained delegation. 
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Figure 1: Accessing data with a service account 
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Figure 2: Accessing data with Kerberos delegation 

In order to access the SQL Server system 
in Figure 2, the web server needs to obtain 
a service ticket to the SQL Server service. 
The service ticket must be for the user 
accessing the web application (e.g., User 1), 
not the web server's service account. Thus, 
the web server presents User l's service 
ticket that was used to access the website 
(e.g., for www.contoso.com) to the Key 
Distribution Center (KDC) and requests 
a service ticket to the SQL Server system. 
The KDC evaluates the delegation settings 
in AD for the web server; if it's permitted 
to delegate to the SQL Server system, the 
KDC takes the presented service ticket as 
proof that the user is authenticated and 
returns a new service ticket for the user to 
the SQL Server system. Figure 3 shows this 
exchange of information. 

So far we've made the assumption that 
no configuration is required in AD for del¬ 
egation to work as Figure 3 shows—but this 
isn't the case, and for good reason. If any 
service could simply delegate authentica¬ 
tion to any other service, a malicious per¬ 
son could lure a user to authenticate to the 
malicious person's service, giving that per¬ 
son access to every service on the network 
that the unwitting user has access to. 

The default setting in the Microsoft 
Management Console (MMC) Active 
Directory Users and Computers snap-in's 
Delegation tab is to not trust the user for 


delegation. This means 
that services running 
in the context of the 
account can't delegate 
authentication. Win¬ 
dows 2000 Server sup¬ 
ports the Trust this user 
for delegation to any 
service (Kerberos only) 
option, which you can 
see in Figure 4. With 
this option enabled, the 
service can request a 
service ticket on behalf 
of the user to any other 
service in your envi¬ 
ronment. This option 
is inherently insecure 
and as a general rule, 
you should have nearly 
no use for it in your 
environment. 

The preferred con¬ 
figuration, which Figure 4 shows, is to 
enable constrained delegation by select¬ 
ing Trust this user for delegation to specific 
services only. This setting limits the service 
(or computer) account to only be able to 
request to delegate authentication to the 
services listed. In this case, service tickets 
can only be requested on behalf of other 
users to the SQL Server service on sql 
.contoso.com. When you click Add, you 
must browse for the user (i.e., service 
account) or computer hosting the service 
to which you want to allow delegation. In 
this case I selected the SQL Server service 
account. As Figure 5 shows, you'll see a list 



SQL Server 


of Service Principal Names (SPNs) defined 
on the selected user or computer from 
which you can select the services to allow 
delegation to. 

Protocol Transition 

Protocol transition is an added function 
of the AD Kerberos implementation that 
Microsoft introduced in Server 2003. So far 
in our discussion, when the www.contoso 
.com application needed to access SQL 
Server as the current user, the web server 
presented the user's service ticket to the 

Protocol transition is 
an added function 
of the AD Kerberos 
implementation that 
Microsoft introduced 
in Server 2003. 

web application to obtain a service ticket to 
the SQL Server system, as Figure 3 shows. 
This scenario is only possible if the user 
authenticates to the website using Kerbe¬ 
ros. If the user authenticates via forms- 
based logon, through another protocol 
such as NTLM, or perhaps with another 
mechanism such as an RSA SecurlD token, 
the web application can't obtain a service 
ticket on the user's behalf because Kerbe¬ 
ros isn't involved. 

To enable this scenario, you can config¬ 
ure a service account or computer account 
to perform protocol transition, which lets 
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1. User 1 presents a service ticket for http/ 
www.dontoso.cQm Ip the web $erver. 
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2 . The web server presents User 1 's service 
ticket to the KDC as proof o( authentication 

and requests a service ticket to the SQL Server s/stem. 

3. The KDC evacuations the delegations settings 
for the web server and if properly configured 
returns a service ticket to mssqtsvc/ 
sqloontoso oornl 433 for userl @contoso.cem 

4. The web server presents the new service 

ticket to the SQL Server system to access the database 


Figure 3: Kerberos delegation message exchange 
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Figure 4: Enabling constrained delegation 


the service or com¬ 
puter account request 
a service ticket to a ser¬ 
vice without having a 
service ticket from the 
user. In lieu of present¬ 
ing the user's service 
ticket to the website, 
the service account 
presents its own ticket¬ 
granting ticket (TGT) 
and requests a ser¬ 
vice ticket to itself in 
the name of the user. 
Figure 6 shows the 
sequence of Kerberos 
requests and replies 
when protocol transi¬ 
tion is performed. 

It's important to 
note that because of 
the sensitivity of pro¬ 
tocol transition, it's 
available only in con¬ 
junction with Kerberos 
constrained delegation. 


Delegation is one 
of the most difficult 
Kerberos compo¬ 
nents to configure, 
and misconfigura- 
tion leads to broken 
applications. 

To configure protocol transition, select Use 
any authentication protocol rather than 
Use Kerberos only when you enable con¬ 
strained delegation. The sensitivity of this 
configuration comes from the fact that 
you're giving the application the ability to 
make a claim to the KDC that it successfully 
authenticated a user regardless of whether 
it actually did so. To limit the risk, you must 
configure the services that the application 
can make this claim to in the form of a 
service ticket. 

For the exchange illustrated in 
Figure 6 to be successful, several additional 
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Figure 5: Selecting services to allow delegation 


prerequisites are necessary in addition to 
configuring the service account's settings. 
First, the service account must be able to 
access the group membership of the user 
it's trying to obtain a service ticket for. This 
access is granted through membership 
in the AD Windows Authorization Access 
group. This group is delegated read access 
to the AD tokenGroupsGlobalAndUniver- 
sal attribute. 

Next, to actually perform delegated 
authentication, the service account also 
needs the Act as Part of the Operating Sys¬ 
tem (SeTcbPrivilege) and Impersonate a 
Client After Authentication (Selmperson- 
atePrivilege) security privileges. The Act 
as Part of the Operating System privilege 
is especially sensitive and by default is 
only granted to the SYSTEM account. If 


you grant this right to the 
service account running 
a web application and 
the application is com¬ 
promised, the attacker 
will have full control 
of the server. Typically 
applications that make 
large-scale use of pro¬ 
tocol transition, such 
as single sign-on (SSO) 
tools, implement a spe¬ 
cial service that runs 
under the SYSTEM 
account and performs 
the necessary Kerberos 
calls on behalf of the web 
application. 

Troubleshooting Kerberos 

Delegation is one of the most difficult 
Kerberos components to configure, and 
misconfiguration leads to broken applica¬ 
tions. Numerous additional minor prob¬ 
lems occur with Kerberos—these problems 
are important to recognize and remediate. 

Two utilities that are commonly used to 
monitor Kerberos behavior on a Windows 
machine, as well as to troubleshoot, are Klist 
and Kerbtray. Klist is a command-line utility 
that's built in to Windows. This tool lets you 
see all the tickets currently cached for a ses¬ 
sion, as well as view the TGT. Simply run klist 
to viewthe cached tickets; run Iclist tgtto view 
the TGT. To purge cached tickets (and the 
TGT), run klist purge. Purging tickets lets you 
get a new TGT with updated group member¬ 
ship stored in it without logging off. 


Kerbtray is available in the Microsoft 
Windows Server 2003 Resource Kit and the 
Microsoft Windows 2000 Server Resource 
Kit. The data presented in Kerbtray is the 
same as Klist; however, Kerbtray runs in the 
system tray and provides a graphical view 
rather than text-based output. 

The most common problem AD 
administrators face with Kerberos is 
duplicate SPNs. SPNs are used to identify 
services running in the environment. 
When a user requests a service ticket in 
order to access a service, the user speci¬ 
fies the SPN of the service he or she is 
trying to access as part of that request. 
The KDC subsequently searches for an 
account holding that SPN and encrypts 
the ticket using the account's secret. If 
more than one account has the same 
SPN defined on it, the KDC won't be able 
to properly encrypt the ticket because 
there's more than one secret that can be 
used to encrypt the ticket. 

Duplicate SPNs frequently occur when 
machines are joined on one domain and 
then joined to another domain in the 
forest, leaving an orphaned computer 
account behind in the old domain. Dupli¬ 
cates can also occur if an SPN is manually 
entered on multiple user or computer 
accounts. When the KDC receives a 
request for a service ticket and finds 
multiple matches for the specified SPN, 
an event similar to the one in Figure 7 is 
logged in the domain controller's (DC's) 
system log. 

There are numerous ways to search 
for and clean up duplicate SPNs in your 
forest. The Microsoft article "Event ID 11 
in the System log of domain controllers" 
(support.microsoft.com/kb/321044) dis¬ 
cusses several methods for handling the 
event shown in Figure 7. 

Time synchronization is critical to 
proper Kerberos operation. If the client, 
server, or KDC clocks aren't synchronized, 
Kerberos won't work correctly. Kerberos 
uses a timestamp to secure the various 
messages it depends on; when clocks don't 
match across the environment, tickets are 
erroneously invalidated. By default, AD lets 
clocks drift a maximum of five minutes in 
either direction. 

Kerberos is highly dependent on DNS. 
When you define SPNs, you define them 
in terms of the service's DNS name (e.g., 


Web Server 
www. conto$ocom 


6— 1 


User 1 

user l@contoso.com 




SQL Server 
sqlxontosoxom 


I. User 1 authenticates using a forms-based 
logon. 

2 The web server presets its TGT lo the 
KDG and requests a service ticket for User 1 
to the http/www.oontoso.com service. 

3. The KDC evaluates Ihe delegation sellings 
lor the web server and rf property configured 
ralums a service ticket tu hHpAvww.conEoso.com: for User 1. 

A, The web server presents User 1 's new 
service ticket lo the KDC and requests a service 
licket lo the SOL Server system 

5. The KDC evaluates Ihe deiegalron sellings for 
Ihe web server and if properly configured returns a 
service ticket lo mssqlsvc/sql .conloso.com: 1433 
for usarl ©contosocom. 

6. The web server presents Ihe new service ticket 
lo the SQL Server system lo access Ihe database. 


Figure 6: Protocol transition message exchange 
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Event Type: Error 
Event Source: KDC 
Event Category: None 
Event ID:11 
Date: 09/26/2010 
Time: 08:45:00 PM 
User: N/A 
Computer: DC01 

Description:There are multiple accounts with name 
MSSQLSvc/sql.contoso.com:1433 of type DS_SERVICE_ 
PRINCIPALJMAME. 

Figure 7: Duplicate SPN event 

http/www.contoso.com). If you access 
the www.contoso.com website via a URL 
other than www.contoso.com, Kerberos 
won't work correctly. In order to support 
browsing to applications via just their 
host name, it's typical to also define an 
SPN for the host name (e.g. http/www) so 
that users don't have to enter the service's 
Fully Qualified Domain Name (FQDN). 
One scenario in which Kerberos never 
works is when a service is accessed via IP 
address. In this case, authentication typi¬ 
cally falls back to NTLM. 

When authentication falls back to 
NTLM, applications that depend on Ker¬ 
beros delegation but don't implement 
protocol transition will fail. Sometimes 
NTLM is used because of either a server 
or browser configuration issue rather than 
a Kerberos problem. One tool you can use 
to troubleshoot these types of issues with 
web applications is a free utility called Fid¬ 
dler. You can download Fiddler from www 
.fiddler2.com. 

Another common problem is an age- 
old issue known as token bloat. Kerbe¬ 
ros stores a user's group membership 
(among other things) in the Privilege 
Attribute Certificate (PAC) section of 
the user's TGT and subsequently inside 
the service tickets. When the amount 
of memory required to store the group 
membership exceeds a certain value, 
the membership can no longer be 
fully stored in the PAC. The Microsoft 
article "New resolution for problems 
with Kerberos authentication when 
users belong to many groups" (support 
.microsoft.com/kb/327825) discusses 
how to adjust a registry setting (Max- 
TokenSize), as well as how to calculate 
each group's contribution to the total 
size of the token. Although adjusting this 
registry setting can temporarily solve this 
problem, a better solution is to reevaluate 


your organization's group membership 
strategy. 

Quick and Easy Solutions 

In general, you can count on Kerberos to 
work without incident. But if you need to 
set up an application that requires Kerberos 
constrained delegation, you need a solid 
understanding of how delegated authentica¬ 
tion works. When Kerberos does break down, 


numerous tools let you troubleshoot the 
problem to find quick and easy solutions. ^ 
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C laims-based authentication is a flexible framework based on Security Assertion Markup 
Language (SAML) tokens and built on the Windows Identity Foundation (WIF). Tokens 
contain assertions about a user's identity that are generated by trusted authentication 
providers, which include Windows Authentication—just as in Classic Mode Authentica¬ 
tion—as well as forms-based authentication (FBA), and standard SAML tokens issued by 
trusted authorities such as Windows Live ID or Active Directory Federated Services 2.0 
(ADFS 2.0). By extending the reach of trusted authentication providers, claims-based authentication 
enables authentication across Windows-based systems and non-Windows based systems. Claims- 
based authentication becomes particularly powerful when tokens contain other user attributes, 
such as demographic or organizational information. These attributes can originate within the user's 
organization, other organizations, or the Internet. 

If you're not familiar with claims-based authentication, that description might sound complex. But 
it doesn't need to be. Claims-based authentication is just a standards-based, extensible implementa¬ 
tion of concepts you already understand as an IT pro supporting Active Directory (AD). This article 
focuses on the implementation of claims-based authentication in Microsoft SharePoint 2010, but 
the conceptual foundation will help you with other claims authentication products, including Active 
Directory Federated Services (ADFS) 2.0. 


Extending the 
reach of trusted 
authentication 
providers 

by Dan Holme 


Reviewing Windows Authentication 

The concepts related to claims-based authentication are straightforward if you start from the per¬ 
spective of an authentication scheme that you already understand: authentication within a Windows 
domain. Let's review the basics of Windows authentication as a basis from which to understand 
claims-based authentication. 

When you require access to a system—for example, a file server—the system must know who you 
are before it grants you access to resources. It would not be manageable to maintain a list of usernames 
and passwords on each system. Therefore, you create a Windows domain by implementing Active 
Directory Domain Services (AD DS). Within a domain, all systems trust the authentication mechanism 
of the domain—Kerberos services running on the DCs—to validate the identity of a user. So, when you 
access a file server, the file server doesn't have to authenticate you. Instead, you bring to the server a 
Kerberos service ticket that identifies you. The ticket has been created using processes that include 
encryption using keys known only by the server and the domain. The server knows that the service 
ticket is valid. It looks at the ticket to know who you are. The server accepts the ticket's assertion about 
your identity because the server trusts the source of the ticket—the AD DS domain's Kerberos Key 
Distribution Center (KDC). Because the server trusts an external authentication provider, it doesn't 
need to perform authentication. 
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The Kerberos service ticket also con¬ 
tains a list of your domain security group 
memberships. Again, because the ticket 
comes from a trusted authority, the server 
uses that list of groups. The server builds 
a token that contains your identity—your 
user account's SID—and the SIDs of the 
groups to which you belong. The local 
security subsystem uses the token to deter¬ 
mine whether you have access to a file by 
comparing the SIDs on the file's ACL with 
the SIDs in your token. This security token 
represents you to the local server. 

In the past, when a developer wanted 
to create a secure website, he or she had 
to build an authentication component. 
With SharePoint, in Classic Mode Authen¬ 
tication, your Windows security token is 
translated into an object that represents 
you within SharePoint. The object is called 
an SPUser object. The SPUser object in a 
SharePoint web application is the concep¬ 
tual equivalent of your Windows security 
token. It represents you during your inter¬ 
actions with the web application. 

Claims Authentication 

A claim is a set of assertions (i.e., infor¬ 
mation about a user). At the most basic 
conceptual level, a Kerberos service ticket 
is a claim that, among other things, asserts 
a user's identity and group memberships. 
When you access a SharePoint web appli¬ 
cation that uses claims-based authentica¬ 
tion, the web application accepts a claim 
and translates that claim into the SPUser 
object, which represents you during your 
interactions with the web application. 

This is the first difference between Clas¬ 
sic Mode Authentication and claims-based 
authentication. In Classic Mode Authenti¬ 
cation, the web application relies on Micro¬ 
soft IIS to pass your Windows security token 
to the web application. In claims-based 
authentication, the web application relies 
on the farm's Security Token Service (STS) 
to deliver a token that contains claims, 
including claims about your identity. The 
STS is a service application that is required, 
is created automatically when you create 
a farm, and should never be removed. Its 
purpose is to create claims tokens. 

In Classic Mode Authentication, IIS 
relies on AD to perform authentication. IIS 
can receive credentials via several methods 
(e.g., NTLM, Kerberos, Basic, Digest). In the 
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case of NTLM, Basic, and Digest authen¬ 
tication, IIS authenticates the credentials 
against AD. In the case of Kerberos authen¬ 
tication, the service ticket contains creden¬ 
tials that have already been authenticated. 

In claims-based authentication, as 
Figure 1 shows, the STS doesn't actually 
perform authentication. Instead, it relies 
on a trusted authority to do so, in the UI. 
This authority is called the authentication 
provider. The authentication provider can 
be Windows (AD) or one of several other 
providers. If the claims-based application 
uses the Windows authentication provider, 
the STS performs essentially the same func¬ 
tion as IIS does in Classic Mode Authenti¬ 
cation. If Kerberos is available, the service 
ticket is processed and turned into a set of 
claims about the user's identity and group 
memberships. If NTLM, Basic, or Digest 
authentication are used, the user's cre¬ 
dentials are authenticated by AD, and the 
NT token is translated into a set of claims 
about the user's identity and group mem¬ 
berships. The resulting claims are provided 
to the web application as a token, which is 
translated into an SPUser object within the 
web application. 

By this point in the discussion, you 
should understand that there's a compo¬ 
nent called an STS that's doing the work of 


building tokens that contain claims. The 
STS's role in creating tokens for SharePoint 
is conceptually equivalent to the KDC’s 
role in issuing Kerberos tickets on your 
Windows DC. You should also understand 
that if you use only Windows authentica¬ 
tion, there's conceptually little difference 
between Classic Mode Authentication and 
claims-based authentication. But the story 
is just beginning. 

What if you want to make a web appli¬ 
cation available to partners, but you don't 
want to add accounts for partner users to 
your AD DS domain? Before .NET authen¬ 
tication providers were introduced, a web 
developer would have to write a custom 
component to authenticate users and to 
administer user identities. Now, however, 
you can use the FBA provider to authenti¬ 
cate users against credentials stored in AD 
DS, in Active Directory Lightweight Direc¬ 
tory Services (AD LDS), in a database such 
as a Microsoft SQL Server database, or in an 
LDAP data store such as Novell eDirectory, 
Novell Directory Services (NDS), or Sun 
ONE. Or you can use SAML to authenticate 
users based on credentials stored in a token 
provided by ADFS 2.0, by Windows Live ID, 
or by a custom trusted source. 

Claims-based authentication thus 
allows SharePoint web applications to be 



Figure 1: Claims-based authentication vs. Classic Mode Authentication 
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extended to more diverse sets of users, 
across domains, forests, and non-Windows 
environments. You can change the authen¬ 
tication provider or the methods of authen¬ 
tication without having to change the web 
application itself, as long as the web appli¬ 
cation accepts and understands claims! 

Trust 

How are claims actually built? When you 
attempt to access a web application that uses 
claims-based authentication, you're trans¬ 
parently redirected to a sign-in page for the 
STS, by which you're authenticated. In some 
cases, such as Windows authentication, you 
might never even see this transaction if you 
configure your browser's security settings 
to authenticate you silently to trusted sites, 
and if the website is in a trusted zone. In 
other cases, such as FBA, you'll see a vis¬ 
ible page on which to enter your username 
and password. The STS authenticates you 
and provides a token to your browser. Your 
browser then returns to the original website, 
submits the token, and the web application 
then knows who you are. 

The process uses a series of standards 
called WS-* standards, which effectively 
ensure that the token can be used by the 
web application. To make a long, compli¬ 
cated story short, the web application has 
been configured to trust the STS. The trust 
involves the exchange of certificates that 
are used to encrypt the token. If the web 
application is able to decrypt the token 
with the shared secret, it knows that the 
token must have been generated by the 
trusted STS. 

Trust is at the heart of any security 
system. In an AD DS domain, each com¬ 
ponent of Windows trusts the local security 
subsystem, which in turn trusts the domain, 
which in turn trusts other domains in the 
forest, and that trust can then be extended 
to other domains or forests. In SharePoint, 
all web applications and services in a farm 
trust the Security Token Service (STS) of 
the farm. 

Claims 

When a claim is presented to a web appli¬ 
cation, the claim contains assertions about 
the user's identity. It also can contain 
claims about the user's group member¬ 
ships. Each of the authentication methods 
available in claims-based authentication 
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can provide the STS with an enumeration 
of the user's group memberships, which 
are added to the claim. 

But a claim can provide more than just 
user and group information, and this is 
where claims become particularly valu¬ 
able. Let's assume that you want to be able 
to send email messages to users from a 
website. How do you determine a user's 
email address? You can build and maintain 
a local database of user email addresses, 
but in an AD DS domain, that information 
is stored in AD, and so you would need to 
sync a local database with changes made 
in AD. Or you can add code to query AD 
each time you need an email address. Both 
approaches require additional work by the 
application developer. 

A claim can include a user's email 
address or any other attribute, such as the 
user's manager, manager's email address, 
department, job title, age, or gender. As 
long as the STS and web application are 
configured properly, the STS will collect 
attributes and bundle them into a claim. 
Because the claims are presented by the 
user to the web application, the web appli¬ 
cation doesn't need to maintain local cop¬ 
ies of the attributes, nor does it need to look 
up the attributes in an external source. 

Claims-based authentication reduces 
the burden on applications to maintain or 
look up information about users. Attributes 
in claims can be used for a variety of pur¬ 
poses. The user's email address claim can 
be used to send the user an alert. The user's 
age claim can be used to provide access to 
age-restricted content. The user's manager 
claim can be used to get approval for a 
vacation request in a workflow. 

You can also assign content permis¬ 
sions based on a claim. For example, you 
can specify that users must have a title of 
vice president or higher to access content. 
You can also use claims to look up users. 
For example, if you want to assign a task 
to a user but can remember only the user's 
manager, the picker control can expose the 
manager attribute of users who belong to 
the site. Developers are particularly excited 
about the possibilities that are presented 
now that SharePoint 2010 supports claims. 

Federation 

Let's assume that certain content in a web 
application can be accessed only by users 
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who are employees of your company, 
Contoso, or of a partner company, Litware. 
How do you make this work? It would be a 
burden to have duplicate copies of all Lit¬ 
ware user accounts in your AD DS domain 
or in a separate database, and to keep 
changes in sync. It would be much easier 
to rely on the administrators at Litware to 
maintain their user accounts and to trust 
the authentication performed by Litware. 

With Windows domains, you could con¬ 
figure a trust whereby the Contoso domain 
trusts the Litware domain. However, fire¬ 
walls can prevent trusts from being correctly 
established and maintained, and many 
organizations have policies that forbid Win¬ 
dows trusts to external organizations. 

Claims-based authentication supports 
federation (provided by solutions such as 
Microsoft's ADFS or Ping Identity's Ping- 
Federate), which extends the concepts 
of trust and claims to third parties. For 
example, you can configure ADFS 2.0 to 
authenticate users against both domains, 
without requiring a trust. You then con¬ 
figure SharePoint's STS to trust the STS 
exposed by ADFS 2.0. From a terminology 
perspective, SharePoint's STS becomes the 
relying party STS (RP STS) and the STS of 
ADFS 2.0 becomes the identifying party 
STS (IP STS). 

When a user attempts to access a web¬ 
site, the site redirects the user to the IP STS 
for authentication. The SAML token issued 
by the IP STS (ADFS 2.0 in this example) is 
then presented to the RP STS (SharePoint's 
STS in this example), which can augment 
the token with additional claims before 
giving the client the token that is then sub¬ 
mitted to the web application. 

Another example of federated identity 
is Windows Live ID authentication. You can 
configure SharePoint's STS to trust tokens 
that Windows Live ID issues. 

SAML Tokens 

SAML tokens can include any number of 
claims about a user, such as a username and 
groups to which the user belongs, as well as 
descriptive attributes. The relying party 
application receives the SAML token and 
uses the claims inside to decide whether 
to grant the client access to the requested 
resource. Therefore, one of the claims in 
the token must uniquely identify the user. 
This is called the identity claim. The IP-STS 
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doesn't need to create the identity claim 
with the username submitted when the 
user logs on to the IP-STS. For example, AD 
FS doesn't have to create the identity claim 
with a user's domain username. The IP-STS 
can instead create the identity claim using 
another unique identifier. Many imple¬ 
mentations of claims use the email address 
attribute as the identity claim. The RP-STS 
must know which claim is guaranteed to be 
unique for tokens created by the IP-STS. 

For this reason, configuration of a 
claims environment using SAML token- 
based authentication requires cooperation 
between the administrators of the RP-STS 
and IP-STS. The following elements must 
be coordinated: 

• In SharePoint 2010 products, each web 
application that is configured to use a 
SAML provider is added to the IP-STS 
server as a separate RP-STS entry. The 
owner of the IP-STS performs this task. 
Each web application is identified 

as a realm, which is simply the URL 
namespace associated with the relying 
party web application (e.g., https:// 
portal.contoso.com). 

• Only the owner of the IP-STS knows 
which value in the token will always be 
unique per user and therefore can be 
relied upon as the identity claim. That 
information must be communicated to 
the owner of the IP-STS. 

• Tokens are signed using a certificate 
generated by the IP-STS. That certificate 
must be transferred from the IP-STS to 
the RP-STS. 

Implementing SAML token-based authen¬ 
tication with SharePoint 2010 products 
involves the following processes: 

1. Export the token-signing certificate 
from the IP-STS. This certificate is known 
as the ImportTrustCertificate. 

2. Copy the certificate to a server 
computer in the SharePoint Server 2010 
farm. Remaining steps are performed on 
the same server: 

3. Define the claim that will be used as 
the unique identifier of the user. Identify¬ 
ing the unique identifier for the user is part 
of the claims-mapping process. You use 
PowerShell to perform claims mapping. 

4. Define additional claims mappings 
(i.e., define other values in the token that 
will be used by the RP-STS). For example, 
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many tokens include a value that specifies 
user roles that can be used to permission 
resources in the SharePoint 2010 farm. 
Claims from an incoming token that do 
not have a mapping will be discarded. 

5. Create a new authentication pro¬ 
vider by using PowerShell. This process 
creates the SPTrustedldentityToken- 
Issuer. During this process, you submit the 
ImportTrustCertificate, the identity claim 
mapping, and additional claim map¬ 
pings. You must also create and specify a 
realm—the URL namespace that's associ¬ 
ated with the first SharePoint web appli¬ 
cations that you're configuring for SAML 
token-based authentication. 

6. After the SPTrustedldentityToken- 
Issuer is created, you can create and add 
more realms for additional SharePoint 
web applications. This is how you config¬ 
ure multiple web applications to use the 
same SPTrustedldentityTokenlssuer. For 
each realm that you add to the SPTrusted¬ 
ldentityTokenlssuer, you must create an 
RP-STS entry on the IP-STS. 

7. Create a new SharePoint web appli¬ 
cation and configure it to use the newly 
created authentication provider. The 
authentication provider will appear as an 
option in Central Administration when 
you select the claims mode for the web 
application. 

You can configure multiple SAML token- 
based authentication providers. Flowever, 
you can use a token-signing certificate only 
once in a farm. All configured providers 
will appear as options in Central Adminis¬ 
tration. Claims from different trusted STS 
environments won't conflict. 

If you're implementing SAML token- 
based authentication with a partner com¬ 
pany and your own environment includes 
an IP-STS, I recommend that you work 
with the administrator of your internal 
claims environment to establish a trust 
relationship from your internal IP-STS 
to the partner STS. The result is a type 
of chain of trust and authentication, in 
which your SharePoint applications trust 
your IP-STS, and your IP-STS trusts the 
partner IP-STS, thereby ensuring that 
authentication (e.g., the maintenance 
of user identities) is administered by 
each organization independently. This 
approach doesn't require adding another 


authentication provider to your Share- 
Point Server 2010 farm. It also allows 
your claims administrators to manage the 
entire claims environment. 

Note: If you use SAML token-based 
authentication with AD FS on a Share- 
Point Server 2010 farm that has multiple 
web servers in a load-balanced configura¬ 
tion, it might affect the performance and 
functionality of client web-page views. 
When AD FS provides the authentication 
token to the client, that token is submit¬ 
ted to SharePoint Server 2010 for each 
permission-restricted page element. If the 
load-balanced solution isn't using affinity, 
each secured element is authenticated to 
more than one SharePoint server, which 
might result in rejection of the token. After 
the token is rejected, SharePoint redirects 
the client to reauthenticate back to the 
AD FS server. After this occurs, an AD 
FS server might reject multiple requests 
that are made in a short time period. This 
behavior is by design, to protect against 
a denial of service (DoS) attack. If perfor¬ 
mance is adversely affected or pages don't 
load completely, consider setting network 
load balancing to single affinity. Doing so 
isolates the requests for SAML tokens to a 
single web server. 

The SharePoint 2010 Technical Library 
(technet.microsoft.com/en-us/library/ 
ee806886.aspx) has more details about 
these procedures. 

What It's All About 

Claims-based authentication lets you 
extend both authentication (identifica¬ 
tion) and the collection of informational 
attributes about a user to sources beyond 
an application and beyond your domain. 
Many IT pros will experience claims first 
with SharePoint 2010, others with AD FS 
2.0, and yet others with Azure, but there's 
no doubt that in the coming years, claims 
authentication is what it will all be about in 
the identity-management space. ^ 
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Linoma Releases Reverse Proxy 
Server 

Linoma Software has released 
GoAnywhere Gateway, a new reverse 
proxy server. The product lets custom¬ 
ers connect through the public network 
to designated FTP, FTPS, SFTP, or HTTPS 
resources in GoAnywhere Services, the 
company's secure file server, which 
would be located on the private network. 
GoAnywhere Gateway highlights include: 
no incoming ports are opened into the 
private network, reducing the risk of net¬ 
work intrusion; no sensitive files are stored 
on the public network; user credentials, 
permissions, keys, and certificates are 


maintained in the private network; and ser¬ 
vices configurations are maintained in the 
private network. GoAnywhere Gateway can 
be installed on Windows, Linux, UNIX, AIX, 
and Solaris platforms, and pricing starts at 
$2,995. To learn more, visit www 
.goanywheremft.com. 

Davinci Migrator Smooths 
SharePoint 2010 Transition 

Axceler has released Davinci Migrator 
for SharePoint 2010. Davinci Migrator 
for SharePoint 2010 offers comprehen¬ 
sive, risk-based control when moving 
to SharePoint 2010. Features include: 
detailed pre-migration analysis and 



rules engine, allowing users to follow 
best practices, identify issues during 
planning, rank them by severity, and 
recommend actions before moving 
forward; support for both granular and 
entire-site migrations from SharePoint 
2003 and 2007 to the new SharePoint 
2010 platform; an optimized architecture 
for large content databases and complex 
enterprise configurations that have many 
SharePoint administrators per farm; and 
support for migrating in waves, based on 
user-defined timetables, priorities, and 
severity of issues found, which reduces 
team and resource impact. To learn more, 
visit www.axceler.com. 

TeamViewer Improves Remote 
Support 

Remote support product TeamViewer 
now offers enhanced support for termi¬ 
nal servers, drag and drop file transfer, 
and completely searchable partner lists 
through TeamViewer 5.1 . With the latest 
update, all users receive a TeamViewer ID, 
letting supporters connect to any terminal 
server user. The program also now sup¬ 
ports connecting to multiple users on 
a terminal server. Other enhancements 
include improved multi-monitor handling 
and automatic detection of additional 
screens. An optimized remote toolbar 



PRODUCT 

Dot Hill Introduces First 10Gb iSCSI 
Storage Systems for SMB Market 

Dot Hill Systems has introduced the Dot and the AssuredSAN 3400 line is ideal for 
Hill AssuredSAN 3400 Series, delivering solution providers interested in offering 
10Gb/second iSCSI storage capabilities to storage solutions that are on the leading 
address expanding bandwidth demands edge of technical innovation." 
that have been driving network conver- According to Dot Hill, one of the 
gence and I/O port consolidation. Lever- primary requirements for users consider- 
aging the high bandwidth that 10Gb/ ing storage purchases is the cost of future 
second Ethernet now offers, the Assured- expansion. One of the reasons customers 
SAN 3420 and 3430 storage arrays offer are considering 10Gb iSCSI SANs is to sup- 
a number of new capabilities. According port immediate, increased server demands 
to the vendor, inclusion of the 10GbE and higher bandwidth applications, as well 
high speed interface in a cost-effective as future expansions, 
storage array makes the 3400 Series well- "We have been shipping 10GbE infra- 
suited for customer applications such structure for enterprise applications for 
as rich media post-production, video over three years. The Dot Hill 3400 Series is 
streaming, high performance comput- the key piece in the puzzle for us to deliver 
ing (HPC) applications, and applications the full benefits of converged 10GbE infra¬ 
running on virtual servers. structure extending to the SMB segment," 

"The AssuredSAN 3400 Series makes said Alexander Jeffries, managing director 
10Gb iSCSI storage solutions a reality of Stordis and Dot Hill customer. "The avail- 

for our channel partners and their SMB ability of trusted, high quality storage will 

customers for the first time," said David dramatically increase the attractiveness of 
Zimmer, vice president of worldwide the whole 10GbE proposition and deliver a 

channel sales and marketing, Dot Hill. massive value add to existing 10GbE users." 

"Our resellers and customers continue The Dot Hill AssuredSAN 3400 Series 

to look to Dot Hill to deliver the latest starts at $18,970. To learn more, visit www 
technology at affordable price points .dothill.com. 
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KNEW & IMPROVED 



EnerNOC Releases CarbonSMART 

EnerNOC has released a carbon man¬ 


offers a Ctrl+Alt+Del button 
for when the remote computer 
inputs Ctrl+Alt+Del. In addition, 
partner lists are now searchable 
and groups are matched, enabling 
a more efficient collaborative 
work environment. To learn more, 
visit www.teamviewer.com. 


Genetec Releases Compact 
Network Security Appliance 

Genetec has announced SV-16, a network 
security appliance powered by Genetec's 
software. The new appliance comes pre- 
loaded with Genetec's well-known video 
surveillance system, Omnicast, and is 
targeted for small-scale installations under 
16 cameras and for multi-site installations 
with small remote locations. According to 
the vendor, the SV-16 Network Security 
Appliance offers customers the flexibility of 
an advanced IP video surveillance solution 
and the simple deployment of an all-in-one 
appliance. The appliance weighs 13 ounces 
and manages up to 16 IP cameras, sup¬ 
ports wireless connectivity, and offers up 
to 500GB of internal storage. To learn more, 
visit www.genetec.com. 



BrightWork Updates pmPointfor 
SharePoint 2010 

BrightWork has updated BrightWork 
pmPoint to support SharePoint 2010. 
BrightWork pmPoint for SharePoint 
2010 is a comprehensive project 
management solution, offering a 
system that is easy to deploy and 
can now be used with Micro¬ 
soft Project 2010 to SharePoint 
sync. The product contains a 
number of templates that can 
be adapted to an organization's 
projects. The solution also offers 
reporting that can combine data 
across several project sites into 
dashboards. To learn more, visit 
www.brightwork.com. 


agement application, CarbonSMART. 
CarbonSMART is a Software-as-a-Service 
(SaaS) carbon management and account¬ 
ing application designed to help 
organizations measure, manage, and 
report greenhouse gas emissions. Carbon 
SMART'S SaaS-based approach central¬ 
izes data collection across any number of 
facilities and geographies and provides a 
secure, auditable process and database 
that lets customers prioritize carbon 
mitigation strategies. For multi-application 
customers, EnerNOC further accelerates 
reporting by transferring energy usage 
data collected by its other energy manage¬ 
ment applications into CarbonSMART. 

To learn more, visit www.enernoc.com/ 
solutions. 

TwinStrata and Veeam Deliver 
Cloud Storage for VMware Backups 

TwinStrata and Veeam have announced 
a solution for the creation and storage of 
VMware backups. The solution combines 
TwinStrata's CloudArray and Veeam 
Backup & Replication for a pay-as-you- 
go cloud storage offering. CloudArray 
encrypts data prior to transporting it to 
cloud storage, and Backup & Replication 
offers advanced deduplication capabilities. 
To learn more or to download a 30-day free 
trial, visit www.twinstrata.com. ^ 



PauTs Picks 

www.winsupersite.com |\ 

SUMMARIES of in-deptFr 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 

Windows Phone 7 

PROS? Innovative and usable new Ul; powerful 
hardware; excellent cloud services connections 
CONS No cut and paste and third-party multi¬ 
tasking yet; only partial EAS policy support 
RATING: ♦♦♦♦O ' 
RECOMMENDATION: Windows Phone 7 is a 
game changer, for both Microsoft and the broader 
smartphone industry. Though new to the smart¬ 
phone market, it's already the most user-centric 
system out there, putting the iPhone, in particular, 
to shame. Windows Phone isn't perfect: It's 
missing obvious features like copy and paste and 
multitasking for third-party apps, though Microsoft 
says it will be adding those in 2011, for free. It's 
also only partially compatible with Exchange 
ActiveSync (EAS) policies, meaning that the tired 
Windows Mobile system will be kicking around for 
another year or so until Microsoft fixes that as well. 
No matter: Windows Phone 7 offers an innovative 
Ul that users are going to love and deep integra¬ 
tion with consumer-oriented online services. This 
is a great start, and already a thoroughly capable 
alternative to the now dated iPhone and Android 
hegemony. It's time to move on to the next gen¬ 
eration, people: Windows Phone is it. 

CONTACT Microsoft • www.microsoft.com 
DlSCUSSlOf winsupersite.com/mobile/wp7.asp 


Office 365 Beta for Small Businesses 

PROS: Lower pricing and less restrictive than BPOS 
CONS: Still more expensive than Google Apps 
Premium; no client version of Office included 
RATING: ♦♦♦♦0 
RECOMMENDATION: Microsoft's office 
productivity solutions have always been excellent, 
but although the company had previously made 
some strong moves to the cloud with offerings like 
Office Live Small Business and hosted Exchange 
and SharePoint in the Business Productivity Online 
Suite (BPOS), these products—especially BPOS— 
were priced well out of the reach of most small 
businesses. Meanwhile, Google offers free and inex¬ 
pensive ($50 per user per year) versions of its Apps 
suite, an obvious alternative for budget-strapped 
businesses. So with Office 365, Microsoft finally get 
it right, both from a pricing perspective—the small 
business version is $72 per user per year—and from 
a branding perspective: Now, rather than a confus¬ 
ing mix of disparate brands, all of the company's 
online productivity tools are branded as Office 365. 
All that's missing is the full client Office suite, though 
larger businesses can get that in the more expensive 
and capable Office 365 for Enterprise. 

CONTACT: Microsoft • www.microsoft.com 
DISCUSSION www.winsupersite.com/office/ 
office365_preview.asp 
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WEBSITE PLANS 




ALL WEB HOSTING 
PACKAGES JUST: 


Whether you're a beginner or a 
professional, 1&1 offers a full range 
of website solutions to suit your needs. 
For a limited time, we're offering all 
web hosting packages at one incredible 
low price. Website building tools, 
unlimited traffic, and search engine 
marketing dollars are included with 
all packages. 


Go to www.1and1.com to choose your 
package! 


per month* 

For the first 3 months! 


DOMAIN OFFERS: 


.info only $0.99 first year" only $4.9.9 first year' 



Call 1-877-GO-1AND1 or visit us now www.1and1.com 


"Offers begin November 1,2010.12 month minimum contract term applies for web hosting offers. Setup fee and other terms and conditions may apply. Domain offers valid first year only. After first year, 
standard pricing applies. Visitwww.1and1.com for full promotional offer details. Program and pricing specifications and availability subject to change without notice, l&l and the l&l logo are trademarks of 
Ifil Internet AG, all other trademarks are ihe property of their respective owners. © 2010 Ifil Internet, Inc.. All rights reserved. 



























■ Exchange ■ Security ■ PowerShell 


INSIGHTS FROM THE INDUSTRY 


In Search of Exchange Server Community 


I've been thinking a lot lately about this 
concept of "community" specifically as it 
relates to life in the Internet age, and even 
more specifically as it relates to the world 
of Microsoft Exchange Server. Having other 
people to discuss and exchange ideas with 
can be essential for furthering your knowl¬ 
edge and understanding of the technolo¬ 
gies you work with, yet the life of many IT 
pros and Exchange Server administrators 
is most likely very insular. Finding the time 
to interact with others to form community 
can be all but impossible. 

I've recently been diving into Twitter 
(@bkwins). I've found this a great place to 
find out what the experts in the com¬ 
munity are saying; you can always count 
on them to tweet links to their latest blog 
posts. And you can also get timely updates 
from the Exchange team and other 
Microsoft product teams you might have 
an interest in, as well as many of the indi¬ 
vidual experts and developers from those 
teams. Twitter is a fairly open environment 
that lets you interact with just about any¬ 
one you want—but there's no guarantee 
they'll respond. 

And it's harder to find and build com¬ 
munity with Exchange admins who aren't 
blogging and tweeting regularly but are 
just out there doing their jobs daily the 
best they can. I'm sure that doesn't mean 
these individuals don't have useful and 
interesting things to say; they probably just 
don't have a lot of extra time to say it or 
don't feel confident that anyone cares to 
listen (perhaps because overbearing bosses 
have told them to just shut up and get 
their work done). But I know from personal 
experience that sometimes the only way to 
figure out what you already know is to talk 
it out or even try to explain it to someone 
else—and you can't do that in isolation. 

Another potential source of community 
online is forums, and you can find many 


with general IT topics as well as some with 
a dedicated Exchange focus. Probably 
some of the best technical minds can be 
found on the Microsoft Tech Net forums, 
where you can expect interaction with 
Microsoft employees and MVPs. Within the 
broader forums, you'll find areas dedicated 
to Exchange Server 2010 and Exchange 
Server generally. Of course, forums can 
be sort of hit or miss: Sometimes you get 
the answer you're looking for and possibly 

I make the 
assumption that to 
succeed at your job, 
you need to 
establish some form 
of community. 

make a connection; other times you're met 
with absolute silence, no matter how many 
times you try to rephrase the question. 

If you have a user group in your area, 
that's undoubtedly a great way to connect 
with other admins facing similar prob¬ 
lems. However, you might not have an 
Exchange-focused group nearby—which 
is what I discovered, to my surprise, here 
in the Denver/Northern Colorado area. 
We've got some Windows or general IT 
groups, and there's even a thriving Share- 
Point group. But if your job is focused on 
Exchange, you probably won't get enough 
Exchange discussion from a group such 
as those. On the other hand, how many 
admins have the luxury to focus just on 
one platform or technology these days? 

When I started thinking about Exchange 
community, I asked our Exchange 
contributing editors, Tony Redmond and 


Paul Robichaux, what they thought. They 
brought up the now-defunct Microsoft 
Exchange Conference (MEC).Tony went so 
far as to say he thought the Exchange com¬ 
munity had "lost its way" since Microsoft 
stopped hosting that conference, and both 
Tony and Paul ended up writing blogs 
about what MEC meant to the Exchange 
community—good reads, both, which 
you can find links to on the web version of 
this article at www.windowsitpro.com/go/ 
exchangecommunity. 

Although MEC isn't around anymore, 
there are certainly other Exchange 
conferences you might consider attend¬ 
ing. In addition to technical sessions on 
the latest developments with Exchange 
Server, the experience can provide you 
the opportunity to meet and interact in 
person with both other admins from the 
field as well as the experts giving the ses¬ 
sions. You'll also have the chance to meet 
with vendors of third-party products that 
you might be considering and see live 
demos. 

As with every other means to commu¬ 
nity, however, going to a conference isn't a 
simple solution. Travel budgets aren't what 
they used to be, and even spending time 
away from work itself can be too difficult 
to arrange. You can certainly attend online 
seminars and virtual events to pick up the 
technical content, but I'm not sure how 
good those solutions are for developing 
community. 

I make the assumption that to succeed 
at your job, you need to establish some 
form of community. You might not agree; 
perhaps you feel you work best in isolation. 
I'd be interested to hear your thoughts. Let 
me know where you go to find answers 
and establish dialog with your peers about 
issues that concern you in messaging and 
mobility. 

—B. K. Winstead 
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INDUSTRY BYTES 


Top Security Risks for Small-to-Midsized Business IT Pros 


A couple of weeks ago I attended a web 
seminar about the top security-related risks 
for SMBs. Randy Franklin Smith, contribut¬ 
ing editor for Windows IT Pro and esteemed 
security consultant, highlighted what he 
considers to be the 5 biggest risks. 

1. Endpoint Compromise 

Endpoints are the least secure part of a 
network because they deal with the most 
content from the Internet and therefore 
the greatest amount of malware. Physical 
security is also a risk, not only for laptops 
but also for desktop systems. Unlike serv¬ 
ers, workstations are rarely locked up. Most 
security updates are targeted at patching 
endpoint-centric vulnerabilities. Endpoints 
are especially vulnerable in SMBs because 
of a lack of centralized systems manage¬ 
ment or consistent security policies. In 
addition, SMBs often rely on desktop client 
applications—and more applications 
installed and data stored on clients results 
in a greater potential attack area. 

2. Data Leakage 

Around half of all SMBs have lost confi¬ 
dential data, mostly through theft. Data 


leaks cost SMBs an average of $300,000 
per incident. Most data leakage solutions 
are designed for larger enterprises, which 
leaves SMBs relatively unprotected. 

3. Failed Data Backup and Recovery 

The majority of users in SMBs store critical 
data on their desktops and laptops, which 
typically aren't backed up properly. And 
even when backup does occur, 50 percent 
of all tape backups fail to restore. Around 
25 percent of PC users suffer data loss each 
year. These numbers are even scarier in 
light of the fact that about 70 percent of 
small businesses that experience a major 
data loss go out of business within a year 
of that loss. 

4. Email Integrity 

Many SMBs use consumer-based end- 
point-centric email security solutions, 
which don't work for these organizations 
because they're installed on individual 
machines and therefore 
aren't centrally managed. 

Hosted email security 
solutions often aren't 
flexible enough for SMBs 


and might not be comprehensive enough. 
Some anti-spam solutions can also be too 
restrictive, keeping important email mes¬ 
sages from getting through. Email avail¬ 
ability is as important as email security. 

5. IT Management Costs 

SMB IT pros often try to upsize consumer 
solutions or downsize enterprise solutions, 
neither of which is efficient or cost-effective. 
The SMB IT pro must be a jack of all trades— 
gone are the days of IT specialization. But 
with too many products to manage, you 
end up with too many agents to track on 
the desktop. Simply tending to security and 
systems management can keep IT pros from 
spending time where it's really needed—on 
leveraging new technologies to advance 
the organization's business. 

To listen to the complete 30-minute 
webinar, go to www.windowsitpro.com/ 
go/5securityrisks. 

—Lavon Peters 


Top 5 Misconceptions about 
Biometric Security 


Are Your IIS Servers Under Attack? 


Block oil unwonted IIS 
troflic with ThreatSentry 


Security continues to be one of the great 
challenges of the 21st century, and the 
threats are only growing. There has been 
much ado about the fallibility of pass¬ 
words, but they're still the most common 
standard of security. Could biometrics be 
the silver bullet? Before we can answer that 
question, we need to set aside the com¬ 
mon misconceptions people have about 
biometric technology, and start to view it 
as a valid option in today's business world. 

7. Biometrics is too complex to install and 
maintain , and it will disrupt my existing 
infrastructure. Any biometrics company 
you work with will walk you through 
installation, and maintenance is as simple 
as maintaining the actual reader devices. 
And integration is not a problem—most 


solutions integrate with HR 
providers for a seamless 
connection. 

2. Biometrics isn't safe — 
that data could get stolen. 

The idea here is that it's bad 
enough to have a password 
or PIN stolen, but what 
happens when someone 
steals your fingerprint? I've 
discussed this with several 
biometrics companies, and 
they have all ensured me 
that the biometric data is 
encrypted and no images 
are really stored—only a 
mathematical representa¬ 
tion that is nearly impossible 
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to re-engineer. "I have yet to come across 
one single story or case where someone's 
biometric identity is stolen and used for 
nefarious purposes," said John Trader with 
M2SYSTechnology."I've scoured the Internet. 
I've talked to professionals. Nobody knows of 
a case where this has actually happened." 

3. It can't work or isn't practical for my 
organization/situation. Many organizations 
think biometrics are ideal only for govern¬ 
ment agencies and organizations super con¬ 
cerned about security. But really, biometrics 
offer a variety of different advantages, such 
as saving time (single-sign-on to avoid 


password resets, reducing time and Help 
desk calls); reducing waste (getting rid of 
time slips, punch cards, etc.); and security. 

4. The technology isn't there yet—too 
many false positives and false negatives. 

While it's true that fingerprint scanning has 
some false positives and false negatives, the 
more sophisticated technologies (such as 
finger and palm vein scans) have very high 
accuracy rates, regardless of work condi¬ 
tions that could compromise the sample. If 
you use a solution that lets you use a variety 
of types of biometric authentication, you 
can combine convenience and accuracy. 


Using PowerShell in a DNS Migration 


I recently received a question from James 
via email: "Can you point me in the right 
direction in order to be able to create a 
script that would allow us to automate our 
DNS migration across our environment." 

I immediately thought of the Win32_ 
NetworkAdapterConfiguration WMI class. 
Now, the trick with this class is figuring out 
how to query just actual Ethernet adapters 
and not all the fake virtual adapters in 
Windows. I do it this way: 

PS C:\> gwmi win32_ 

networkadapterconfiguration | 


where {$_.description -like 
'*intel*' } 

That'll differ in your environment, but you 
get the idea. From there, you can execute 
some methods of that class. There's a 
SetWINSServer method, a SetDNSDomain 
method, a SetDNSSuffixSearchOrder 
method, and so on. I don't see "DNS Con¬ 
nection," although I'm not sure what you're 
looking for on that setting, James. With the 
right method, you're on the right track. You 
could implement this as a logon script, or 
just target computers remotely: 


More PowerShell Articles from 
Don Jones 

Manipulating Excel files with PowerShell 

windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/72324/ 

Manipulating-Excel-files-with-PowerShell.aspx 

A Peek into a PowerShell Class (and a Script Module / Advanced Function example) 
windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/72313/A-Peek- 
into-a-PowerShell-Class-and-a-Script-Module-Advanced-Function-example.aspx 

Four Ways to Get Computer Names to the -computerName Parameter 
windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/72306/ 
Four-Ways-to-Get-Computer-Names-to-the-computerName-Parameter.aspx 

The Pickiness with PowerShell Philters 

windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/72305/ 

The-Pickiness-with-PowerShell-Philters.aspx 

Why Doesn't Write-Debug Work? (and what's it for, anyway?) 

windowsitpro.com/blogs/PowerShellwithaPurpose/tabid/2248/entryid/68836/Default.aspx 


5. It's too expensive. Probably the 
biggest reason biometrics are not 
used is because they're considered too 
expensive. "I think it's a basic misunder¬ 
standing of the long-term savings you 
can achieve using biometric technology," 
Trader said. "People are only thinking of 
the up-front cost. They aren't thinking 
about, 'How much can I save with not 
having to print ID cards? How much 
time can I save my payroll department 
for not having to reconcile time sheets?' 
Biometrics offers the best price for your 
return on investment." 

—Brian Reinholz 


PS C:\> gwmi win32_networkadapter 
configuration 

-computername clientl,client2,client3 | 
where {$_.description -like '*intel*' 

} | invoke-wmimethod 
-name setwinsserver -arg 
'192.168.10.1','192.168.12.5' 

It gets a bit tricky passing in arrays (which 
is what SetDNSServerSearchOrder requires, 
for example), but there are plenty of 
examples out there. Now, the one thing 
you won't get is the enabling of LMHOSTS, 
which isn't an adapter setting but is an 
operating system setting buried in the 
registry. Visit www.pctools.com/guides/ 
registry/detail/1285 for some good details 
on which key to use, and you can use 
the registry drives (HKLM:) in PowerShell 
to access those settings. This is a perfect 
time to look into Invoke-Command and 
PowerShell v2 remoting (assuming you've 
deployed, or can deploy, PowerShell 2.0 
to your target machines), since it'll let you 
manipulate the registry on the remote 
machines very easily. 

All that said, when it comes to client 
computers at least, I'm accustomed to just 
using DHCP to push out those values. You 
can do DNS servers, domain name, WINS 
servers, and lots more. That's a big reason I 
usually put my servers on DHCP reservations, 
in fact—so that I can change these options 
via DHCP without a lot of hassle, but still have 
the servers getting the same address. ^ 
—Don Jones 
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CTRL+ALT+DEL 


by Jason Bovberg 


USER MOMENT 
OF THE MONTH 

A few years ago, I got a rather interesting call 
from a remote user. He told me he was unable 
to connect to the Internet from his laptop, and 
I began asking him some basic questions about 
his system. He seemed distracted, pausing for 
a long time before giving me answers. These 
weren't tough questions, and yet he was strug¬ 
gling with every one of them. Finally, he said, 

"Can you hold on?" There were muffled voices, 
and then a kid's voice came on the line, saying 
meekly, "Hello?" I asked who I was talking to. "His 
son," came the reply. I proceeded with my questions, 
and the boy answered them quickly and perfectly. 

When the problem was solved, I thanked him and asked 
him his age. "I'm 10," he said proudly. "Here's my dad." The 
father thanked me and also apologized. 

—Mary 


PRODUCT OF 
THE MONTH 



M If our reader surveys are any indication, we understand the IT 

pro's love of both Star Trek and pizza. We completely share that 
love, and apparently so does ThinkGeek, which recently announced 
the availability of its Star Trek Pizza Cutter. "After years of staring at the 
iconic shape of the Star Trek Enterprise, " says ThinkGeek's Ty Liotta, "we 
finally realized in one 'aha!' moment what the saucer section of the ship 
was best used for... cutting pizza! After a bit of ergonomic adjust¬ 
ment we ended up with the best pizza wheel this side of the 
galaxy." The Star Trek Pizza Cutter is available now at 
ThinkGeek.com for $24.99. 



Figure 2: Successful failure 



In our Windows IT Pro Community Choice survey, 
we took the opportunity to ask you a few light¬ 
hearted questions about your job. You'll see some 
of those findings throughout our awards coverage 
toward the front of this magazine. But we left one 
particular question for the back page. Here are 
the top IT support questions you've received from 
users. 


10. Wait, where should I write "Click"? 

9. Can I copy the Internet to disk? 

8. Does Windows 7 fix Windows Vista? 

7. Can you help me start my computer? 

6. How do I type a capital "5"? 

5. Is this the latest version of the Internet? 

4. What does QWERTY mean? 

3. Where's the Any key? 

2. Can I get a white ink cartridge for my printer? 
1. What's my password? 
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Untangled. 


We’ve untangled high availability, disaster recovery, data sharing and 
migration technologies to ensure your company’s business-critical 
information is at hand 24/7. Easily implemented, easy to run and proven 
over decades, technologies from Vision Solutions give you and your 
people the power to move smartly ahead while greatly reducing stress 
and freeing your nights and weekends. 

To get started, visit visionsolutions.com/untangled. 


Double-Take® AVAILABILITY" Double-Take® MOVE™ 



Microsoft 

GOLD CERTIFIED 

Partnef 


^VISION* 

SOLUTIONS 

Leaders Have Vision” 
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The new 
industry 
standard. 

Up until now, many companies have settled for x86 performance with the mistaken belief 
that more power equals more money. That equation has changed. Today a comparable 
workload on IBM Power 5 730 Express systems can be as much as 37% less expensive 
than on HP ProLiant DL380 G7 systems 1 . And we haven't compromised performance 
to reach that price point. Power Systems are designed to enable you to optimize 
hundreds of workloads on a single system, drive up to 90% utilization and reduce energy 
costs by up to 80% when consolidating servers. Can systems be built to do more for less? 

On a smarter planet they can. ibm.com/power7 

Smarter systems for a Smarter Planet. 


\ » / 
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